On Thu, 20 Dec 2001, Matthew Byng-Maddick wrote:
> > - the daemon obeys setuid() to give up the privilege
>
> Because you then have a complicated daemon to audit, as opposed to the
> much smaller program below.
There isn't much code to audit in "create socket, bind to port 25,
setuid" at the start of the daemon... The remaining complication in
the daemon is the same in both cases.
OK, it is less to audit than "bind to port 25" in the helper scenario,
but you have additionally to make sure the helper cannot be run by
programs that shouldn't have access to it.
> Right. But the helper can be *managed* separately, and have, say, a
> configuration file, that says that "exim is allowed to bind to 25/tcp",
... at which point it becomes a lot less simple, and therefore harder
to audit. :-)
I'm not against it. But I suspect, when everything is taken into
account, there isn't an overwhelming argument either way.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
