Summary: | login: Extend and add features to session (struct) | ||
---|---|---|---|
Product: | Base System | Reporter: | jau |
Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> |
Status: | Open --- | ||
Severity: | Affects Some People | CC: | cem |
Priority: | --- | Keywords: | feature, needs-patch, security |
Version: | CURRENT | ||
Hardware: | Any | ||
OS: | Any |
Description
jau
2019-06-04 08:25:57 UTC
Re: (1): s_login is only modified by setlogin(2), which requires PRIV_PROC_SETLOGIN, which ... is always permitted for the current process on its session. Each time it is set, it produces an audit record, AUDIT_ARG_LOGIN(). You could conceivably add a flag to session 'has_login_been_set', set it as appropriate, and check it in priv_check PRIV_PROC_SETLOGIN under securelevel. But why? What does it mean to restrict setlogin(2) to "new" sessions? Users can always just create a new process and make it the new session leader (setsid() or setpgid()). The old process gets a new "login" on its associated session. Re: (2): I don't think this metadata makes much sense in session. It's out of line with existing session metadata (mostly tracking process group and controlling terminal -- heavily tied to shell login and process groups). In particular, sessions are a process concept, not a thread one. There is no guarantee that all httpds follow the model required for this to make sense. And if you have to fix httpds, you might as well just pass the information to the worker in some side channel; either environment variables, or a pipe, or shared memory segment. I guess the target network daemon is sshd, which is single threaded, and for that it might work? But it doesn't really generalize, IMO. |