Doing the unexpected

Root Boy Jim rbj at icst-cmr.arpa
Sat May 28 12:38:10 AEST 1988


   Date: Wed, 25 May 88 22:46:48 CDT
   From: Operator <vuse!root at uunet.uu.net>

   Tonight, one of my users executed the /etc/rc script twice. This had the
   not-very-amusing effect of causing multiple copies of some daemons such
   as sendmail to be running. I have noticed before that users can execute
   the administrative daemons and the user-started daemon will displace the
   system-started daemon from the distiguished port that that particular
   daemon listens to. When this happens, all manner of "not-very-amusing"
   things happen due to protection problems.

   Is there a solution to this problem? I believe that there are files
   in the /etc directory that are expected to to be readable with normal
   user permissions so I don't think I can simply deny access to the
   directory. I can't think of any way to prevent users from starting
   sendmail as a daemon without denying ALL execution access to sendmail.
   I suppose I could make /etc/rc unreadable but this seems to ignore the
   real problem

As you said above, you can't deny access to the entire directory, because
there are files that must be world readable. You can trun off the world
execute bit on commands you don't want l'users to run tho.

   Any suggestions on how to prevent a user daemon from displacing a
   system daemon in general?

This is really up to the daemon. In many cases it is not setuid root, so
it should die when it attempts to do something privileged. In other cases,
the daemon should protect against multiple invocations by the masses, but
this is not much consolation if it doesn't. The idea of wrapper programs
is a good one if you really need this kind of protection. Perhaps the
wrapper would be setgid to some group and the real daemon executable only
by this group. The wrapper would validate access invoke the real program
if everything is okay and it wasn't previously running. Optionally, you
could kill the old daemon to provide a restart capability.

Just what daemons gave you problems?

	(Root Boy) Jim Cottrell	<rbj at icst-cmr.arpa>
	National Bureau of Standards
	Flamer's Hotline: (301) 975-5688
	The opinions expressed are solely my own
	and do not reflect NBS policy or agreement
	My name is in /usr/dict/words. Is yours?



More information about the Comp.unix.wizards mailing list