[Mono-bugs] [Bug 542677] Add capability to run remote debugging with a specified account

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Tue Oct 20 09:37:45 EDT 2009


User martin at novell.com added comment

Martin Baulig <martin at novell.com> changed:

           What    |Removed                     |Added
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #3 from Martin Baulig <martin at novell.com>  2009-10-20 07:37:44 MDT ---
We will almost certainly not implement this and I strongly oppose any attempt
of even trying.

"Fixing" this basically means running monovs-server.exe as root - either
directly or by sudo / pam authentication or some other means, it doesn't
matter.  One way or the other, the server would get extended privileges to do
the user switching.

On Linux, user switching is done with the setuid() system call, which requires
effective root permissions - there's no way for instance to switch from joe to
mike without having root access.  However, this is unacceptable anyways since
Mono hasn't been security audited yet, so we can't make the server setuid root.

The only other option is setting up sudo or ssh to invoke the server as another

This is also unacceptable because we don't do what perl calls "taint checking":

The monovs-server accepts input via .NET remoting, but Mono's remoting
implementation hasn't been security audited to be safe in setuid environments -
an attacker could easily compromise the system's security by passing malicious

And I mean by design, the server is used to execute arbitrary user-supplied

It's just so easy to simply ssh into the linux box as the correct user and
start monovs-server there (you can even use a different port), that it's simply
not worth worrying about this.

The risk of opening any security leaks is simply too high.

Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list