https://bugzilla.novell.com/show_bug.cgi?id=765948
https://bugzilla.novell.com/show_bug.cgi?id=765948#c9
Sebastian Krahmer changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
InfoProvider|krahmer@suse.com |
--- Comment #9 from Sebastian Krahmer 2012-08-20 07:53:43 UTC ---
Following the least privilege principle, we should use that
option, yes.
(We'd need to check that libcapng doesnt potentially contain any
horrible holes itself.)
If thats not possible to use libcapng, privileges should be dropped
ASAP nevertheless, e.g. after opening the tun device if possible;
or at least before the send_fd() is called, because evil users might
use that to send messages with wrong peer credentials to nscd or
similar (bridge helper is sending message as root to any
socket on users behalf, so targeted server will see peer.uid==0).
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.