[Mono-dev] setuid application
Robert Jordan
robertj at gmx.net
Mon Mar 2 13:11:32 EST 2009
Gladish, Jacob wrote:
> Before proceeding with my current plan, I wanted to get any feedback
> from anyone who may have explored building a mono app that has
> setuid. My application is mostly managed code, with a few p/invoke
> calls, but it's been pretty platform agnostic thus far. I need to
> have setuid privileges on my app, and the best way I have come up
> with so far is to have a small native app that acts as a host that
> has setuid on it. I certainly don't want to change the permissions on
> /usr/bin/mono. Does anyone have any other suggestions?
Employing a wrapper is a good plan, but you should sanitize
or clean the environment (i.e. wiping all vars which start with
MONO_*) before passing control to mono. Otherwise a malicious caller
might be able to instruct mono to create arbitrary files with
the ID of the setuid user.
Robert
More information about the Mono-devel-list
mailing list