From ae541decab234d800211990e9f077b1aada92d06 Mon Sep 17 00:00:00 2001 From: ian Date: Sun, 13 Aug 2000 12:16:58 +0000 Subject: [PATCH] @@ -1,3 +1,9 @@ +userv (1.0.2) unstable; urgency=low + + * Specification's usage notes section improved. + + -- + userv (1.0.1) stable frozen unstable; urgency=high IMPORTANT SECURITY FIX: --- debian/changelog | 6 + spec.html/ch-notes.html | 115 ++++-- spec.html/index.html | 14 +- spec.ps | 832 ++++++++++++++++++++++++---------------- spec.sgml | 97 +++-- spec.sgml.in | 97 +++-- 6 files changed, 726 insertions(+), 435 deletions(-) diff --git a/debian/changelog b/debian/changelog index 18aeeea..04031e2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +userv (1.0.2) unstable; urgency=low + + * Specification's usage notes section improved. + + -- + userv (1.0.1) stable frozen unstable; urgency=high IMPORTANT SECURITY FIX: diff --git a/spec.html/ch-notes.html b/spec.html/ch-notes.html index 24bcf2e..4ab167a 100644 --- a/spec.html/ch-notes.html +++ b/spec.html/ch-notes.html @@ -27,13 +27,25 @@ Applications and notes on use

-6.1 Standard services and directory management +6.1 Examples +

+ +

+The companion package, userv-utils, contains a selection of +example services, some of which are useful tools in their own right. +See the README in its top-level directory for details. +

+ +
+ +

+6.2 Standard services and directory management

In later versions of this specification standard service names and interfaces for common services such as mail delivery and WWW CGI -scripts will be specified. +scripts may be specified.

@@ -41,24 +53,27 @@ scripts will be specified. userv behind wrapper scripts may need to store information in the user's filespace to preserve the correct placement of the security perimiters. Such applications should usually do so in a directory -(created by them) ~/.userv/.servdata/service, where -service is the service name or application in question. +(created by them) ~/.userv/service, where service +is the service name or application in question. +

+ +

+If desired, a dot-directory inside ~/.userv may be used to +avoid the user becoming confused by finding parts of a semi-privileged +application's internal state in their filespace, and/or discourage +them from fiddling with and thus corrupting it.

-The use of a dot-directory inside ~/.userv will hopefully avoid -the user becoming confused by finding parts of a semi-privileged -application's internal state in their filespace, and or discourage -them from fiddling with and thus corrupting it. (Note that such -applications should of course not rely for their global integrity on -the integrity of the data on the user's side of the security -boundary.) +However, userv applications should of course not rely for their +global integrity and security on the integrity of the data on the +user's side of the security boundary.

-6.2 Reducing the number of absolutely privileged subsystems +6.3 Reducing the number of absolutely privileged subsystems

@@ -69,20 +84,21 @@ trusted with the security of the system.

-Using userv many of these subsystems no longer need any unusual -privilege. +If they were to use userv, many of these subsystems would no +longer need any unusual privilege.

cron and at, lpr and the system's mail transfer agent (sendmail, smail, exim or the like) all -fall into this category. +fall into this category, though userv-based versions of these +programs are not currently available.

-6.3 Do not give away excessive privilege to userv-using facilities +6.4 Do not give away excessive privilege to userv-using facilities

@@ -154,39 +170,76 @@ facilities which currently run as root. It is debatable whether the user-controlled state should be kept in the user's filespace (in dotfiles, say) or kept in a separate area set aside for the purpose; however, using the user's home directory (and -probably creating a separate subdirectory of it as a dotfile to -contain many subsystems' state) has fewer implications for the rest of -the system and makes it entirely clear where the security boundaries -lie. +possibly creating a separate subdirectory of it as a dotfile to +contain subsystem state) has fewer implications for the rest of the +system and makes it entirely clear where the security boundaries lie.

-6.4 userv is not a replacement for really and sudo +6.5 userv can often replace sudo, but not really

userv is not intended as a general-purpose system administration tool with which system administrators can execute -privileged programs when they need to. It is unsuitable for this -purpose precisely because it enforces a strong separation between the -calling and the called program, which is undesirable in this context. +arbitrary programs like text editors as root (or other system users) +when they need to. It is unsuitable for this purpose precisely +because it enforces a strong separation between the calling and the +called program, which is undesirable in this context. +

+ +

+However, its use when restricted to running particular programs in +particular ways is very similar to many common uses of +sudo[2]. userv is +generally much better than restricted sudo, because it protects +the called program much more strongly from bad environmental +conditions set up by the caller. Most programs that one might want to +run via restricted sudo, have not been designed to run in a +partially hostile environment. userv allows these programs to +be run in a safer environment and should be used instead. +

+ +
+ +

+6.6 Error handling and input streams (eg stdin) +

+ +

+When the service program is reading from a file descriptor connected +to the calling side, the fd that the service program refers to a pipe +set up by userv and not to the same object as was presented by +the caller. +

+ +

+Therefore if there is some kind of error it is possible for the +service-side fd to give premature end of file. If it is important to +tell whether all of the intended data has been received by the service +program, the datastream must contain an explicit end-of-file +indication of some kind.

-Its facilities for restricting activities to running certain programs -may at first glance seem to provide similar functionality to -sudo[2]. However, the -separation mentioned above is a problem here too, particular for -interaction - it can be hard for a userv service program to -interact with its real caller or the user in question. +For example, consider a userv service for submitting a mail +message, where message is supplied on the service's stdin. However, +if the calling process is interrupted before it has written all of the +message, the service program will get EOF on the message data. In a +naive arrangement this would cause a half-complete message to be +sent. To prevent this, it is necessary to adopt some kind of explicit +end indication; for example, the end of the message could be signalled +by a dot on a line by itself, and dots doubled, as in SMTP. Then the +service program would know when the entire message had been received, +and could avoid queueing incomplete messages.

-6.5 Don't give access to general-purpose utilities +6.7 Don't give access to general-purpose utilities

diff --git a/spec.html/index.html b/spec.html/index.html index 86eb24d..81b82d7 100644 --- a/spec.html/index.html +++ b/spec.html/index.html @@ -31,7 +31,7 @@ between them.

Copyright Notice

-userv is Copyright 1996-1999 Ian Jackson. +userv is Copyright 1996-2000 Ian Jackson.

@@ -82,11 +82,13 @@ Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

  • 5 Information passed through the client/daemon combination
  • 6 Applications and notes on use diff --git a/spec.ps b/spec.ps index 9277903..f482349 100644 --- a/spec.ps +++ b/spec.ps @@ -1,6 +1,6 @@ %!PS-Adobe-3.0 %%Creator: Basser Lout Version 3.10 (November 1996) -%%CreationDate: Thu Jul 27 00:59:08 2000 +%%CreationDate: Sun Aug 13 13:16:53 2000 %%DocumentData: Binary %%DocumentNeededResources: (atend) %%DocumentMedia: Plain 595 842 0 white () @@ -261,15 +261,15 @@ gsave gsave 1 LoutMargSet grestore -340 fnt84 1359 13772(User)m 2118(ser)s 3(vice)k 3190(daemon)s -4421(and)s 5047(client)s 5922(speci\207cation)s 200 fnt82 2792 13256(Ian)m +340 fnt84 1359 13532(User)m 2118(ser)s 3(vice)k 3190(daemon)s +4421(and)s 5047(client)s 5922(speci\207cation)s 200 fnt82 2792 13016(Ian)m 3093(Jackson)s gsave -3770 13301 translate +3770 13061 translate 0.6953 1.0000 scale 200 fnt31 1031 -43()m grestore -240 fnt82 4305 12755(1.0.1)m -9066 609 0 609 240 240 60 0 11495 LoutGr2 +240 fnt82 4305 12515(1.0.1)m +9066 609 0 609 240 240 60 0 11255 LoutGr2 newpath 0 ysize 0.3 ft sub moveto xsize 0 rlineto 0 0.1 ft rlineto @@ -278,12 +278,12 @@ closepath fill grestore 320 fnt84 0 5(0.1.)m 628(Abstract)s grestore -0 11201(This)m 476(is)s +0 10961(This)m 476(is)s 686(a)s 852(speci\207cation)s 2117(for)s 2455(a)s 2621(Unix)s 3155(system)s 3879(f)s 2(acility)k 4606(to)s 4845(allo)s 6(w)k 5424(one)s 5826(program)s 6696(to)s 6935(in)s 9(v)k 4(ok)k 2(e)k -7628(another)s 8405(when)s 0 10961(only)m 480(limited)s 1214(trust)s -1698(e)s 3(xists)k 2290(between)s 3144(them.)s 9066 670 0 670 240 240 60 0 9937 LoutGr2 +7628(another)s 8405(when)s 0 10721(only)m 480(limited)s 1214(trust)s +1698(e)s 3(xists)k 2290(between)s 3144(them.)s 9066 670 0 670 240 240 60 0 9697 LoutGr2 newpath 0 ysize 0.3 ft sub moveto xsize 0 rlineto 0 0.1 ft rlineto @@ -294,53 +294,53 @@ grestore 0 66(0.2.)m 628(Copyright)s 2109(Notice)s grestore gsave -0 9697 translate +0 9457 translate 0.6953 1.0000 scale 240 fnt31 0 -52(userv)m grestore -560 9643(is)m 770(Cop)s 2(yright)k 1799(1996-1999)s 2889(Ian)s -3251(Jackson.)s gsave -0 9289 translate +560 9403(is)m 770(Cop)s 2(yright)k 1799(1996-2000)s 2893(Ian)s +3255(Jackson.)s gsave +0 9049 translate 0.6953 1.0000 scale 240 fnt31 0 -52(userv)m grestore -544 9235(is)m 737(free)s +544 8995(is)m 737(free)s 1146(softw)s 2(are;)k 2062(you)s 2460(can)s 2832(redistrib)s 4(ute)k 3955(it)s 4130(and/or)s 4784(modify)s 5512(it)s 5688(under)s 6276(the)s 6607(terms)s 7172(of)s 7426(the)s 7757(GNU)s -8315(General)s 0 8995(Public)m 659(License)s 1453(as)s 1698(published)s +8315(General)s 0 8755(Public)m 659(License)s 1453(as)s 1698(published)s 2682(by)s 2971(the)s 3314(Free)s 3789(Softw)s 2(are)k 4699(F)s 3(oundation;)k 5894(either)s 6492(v)s 3(ersion)k 7245(2)s 7414(of)s 7680(the)s 8023(License,)s 8867(or)s -0 8755(\(at)m 311(your)s 810(option\))s 1550(an)s 3(y)k -1947(later)s 2430(v)s 3(ersion.)k 0 8347(This)m 476(program)s +0 8515(\(at)m 311(your)s 810(option\))s 1550(an)s 3(y)k +1947(later)s 2430(v)s 3(ersion.)k 0 8107(This)m 476(program)s 1346(is)s 1556(distrib)s 4(uted)k 2632(in)s 2875(the)s 3223(hope)s 3745(that)s 4163(it)s 4355(will)s 4781(be)s -5063(useful,)s 5754(b)s 4(ut)k 240 fnt83 6116 8349(without)m -6898(any)s 7300(warr)s 3(anty)k 240 fnt82 8171 8347(;)m -8283(without)s 0 8106(e)m 6(v)k 3(en)k 500(the)s +5063(useful,)s 5754(b)s 4(ut)k 240 fnt83 6116 8109(without)m +6898(any)s 7300(warr)s 3(anty)k 240 fnt82 8171 8107(;)m +8283(without)s 0 7866(e)m 6(v)k 3(en)k 500(the)s 848(implied)s 1636(w)s 2(arranty)k 2537(of)s 240 fnt83 -2808 8108(mer)m 8(c)k 3(hantability)k 240 fnt82 4367 8106(or)m -240 fnt83 4626 8108(\207tness)m 5279(for)s 5623(a)s 5798(particular)s -6833(purpose)s 240 fnt82 7598 8106(.)m 7702(See)s 8103(the)s -8451(GNU)s 0 7866(General)m 811(Public)s 1475(License)s 2274(for)s -2612(more)s 3159(details.)s 0 7458(Y)m 26(ou)k 442(should)s +2808 7868(mer)m 8(c)k 3(hantability)k 240 fnt82 4367 7866(or)m +240 fnt83 4626 7868(\207tness)m 5279(for)s 5623(a)s 5798(particular)s +6833(purpose)s 240 fnt82 7598 7866(.)m 7702(See)s 8103(the)s +8451(GNU)s 0 7626(General)m 811(Public)s 1475(License)s 2274(for)s +2612(more)s 3159(details.)s 0 7218(Y)m 26(ou)k 442(should)s 1139(ha)s 4(v)k 3(e)k 1640(re)s 1821(cei)s 6(v)k 3(ed)k 2494(a)s 2660(cop)s 2(y)k 3178(of)s 3449(the)s 3797(GNU)s 4372(Gen)s 4768(er)s 4953(al)s 5180(Pub)s 5546(lic)s 5837(Li)s 6043(cense)s 6630(along)s 7215(with)s gsave -7697 7512 translate +7697 7272 translate 0.6953 1.0000 scale 240 fnt31 0 -52(userv)m grestore 8197(;)s 8309(if)s 8526(not,)s -0 7217(write)m 546(to)s 785(the)s 1133(Free)s 1613(Soft)s +0 6977(write)m 546(to)s 785(the)s 1133(Free)s 1613(Soft)s 2011(w)s 2(are)k 2529(F)s 3(oun)k 3016(da)s 3242(tion,)s 3721(59)s 4012(T)s 16(em)k 4434(ple)s 4782(Place)s 5355(-)s 5483(Suite)s 6030(330,)s 6497(Boston,)s -7283(MA)s 7726(02111-1307,)s 0 6977(USA.)m 9066 610 0 610 240 240 60 0 6013 LoutGr2 +7283(MA)s 7726(02111-1307,)s 0 6737(USA.)m 9066 610 0 610 240 240 60 0 5773 LoutGr2 newpath 0 ysize 0.3 ft sub moveto xsize 0 rlineto 0 0.1 ft rlineto @@ -350,55 +350,36 @@ grestore 320 fnt84 0 6(0.3.)m 628(Contents)s grestore -0 5719(1.)m 1200(Introduction)s 8962(3)s 0 5492(2.)m -1200(Client)s 1844(program)s 2714(usage)s 8952(4)s 0 5255(2.1.)m -1200(Options)s 8952(4)s 0 5018(2.2.)m 1200(Security-o)s 3(v)k 3(erriding)k -3118(options)s 8958(7)s 0 4781(3.)m 1200(Ex)s 3(ecution)k +0 5479(1.)m 1200(Introduction)s 8962(3)s 0 5252(2.)m +1200(Client)s 1844(program)s 2714(usage)s 8952(4)s 0 5015(2.1.)m +1200(Options)s 8952(4)s 0 4778(2.2.)m 1200(Security-o)s 3(v)k 3(erriding)k +3118(options)s 8958(7)s 0 4541(3.)m 1200(Ex)s 3(ecution)k 2224(en)s 9(vironment)k 3484(of)s 3755(the)s 4103(service)s -4835(program)s 8959(8)s 0 4544(3.1.)m 1200(File)s 1627(descriptors)s -8959(8)s 0 4307(3.2.)m 1200(En)s 9(vironment)k 8955(9)s -0 4080(4.)m 1200(Service-side)s 2436(con\207guration)s 8831(10)s 0 3843(4.1.)m -1200(Con\207guration)s 2587(\207le)s 2948(syntax)s 8831(10)s 0 3606(4.2.)m +4835(program)s 8959(8)s 0 4304(3.1.)m 1200(File)s 1627(descriptors)s +8959(8)s 0 4067(3.2.)m 1200(En)s 9(vironment)k 8955(9)s +0 3840(4.)m 1200(Service-side)s 2436(con\207guration)s 8831(10)s 0 3603(4.1.)m +1200(Con\207guration)s 2587(\207le)s 2948(syntax)s 8831(10)s 0 3366(4.2.)m 1200(Con\207guration)s 2587(\207le)s 2948(directi)s 6(v)k 3(es)k -8831(10)s 0 3368(4.3.)m 1200(Errors)s 1847(in)s 2090(the)s -2438(con\207guration)s 3771(\207le)s 8833(16)s 0 3130(4.4.)m 1200(Def)s 2(aults)k -8833(16)s 0 2903(5.)m 1200(Information)s 2398(passed)s 3094(through)s -3896(the)s 4244(client/daemon)s 5655(combination)s 8839(18)s 0 2665(6.)m +8831(10)s 0 3128(4.3.)m 1200(Errors)s 1847(in)s 2090(the)s +2438(con\207guration)s 3771(\207le)s 8833(16)s 0 2890(4.4.)m 1200(Def)s 2(aults)k +8833(16)s 0 2663(5.)m 1200(Information)s 2398(passed)s 3094(through)s +3896(the)s 4244(client/daemon)s 5655(combination)s 8839(18)s 0 2425(6.)m 1200(Applications)s 2473(and)s 2877(notes)s 3433(on)s 3730(use)s -8831(20)s 0 2427(6.1.)m 1200(Standard)s 2108(services)s 2928(and)s -3332(directory)s 4248(management)s 8831(20)s 0 2189(6.2.)m 1200(Reducing)s -2171(the)s 2519(number)s 3310(of)s 3581(absolutely)s 4618(pri)s 6(vile)k 3(ged)k -5636(subsystems)s 8831(20)s 0 1951(6.3.)m 1200(Do)s 1546(not)s +8831(20)s 0 2187(6.1.)m 1200(Examples)s 8831(20)s 0 1949(6.2.)m +1200(Standard)s 2108(services)s 2928(and)s 3332(directory)s 4248(management)s +8831(20)s 0 1711(6.3.)m 1200(Reducing)s 2171(the)s 2519(number)s +3310(of)s 3581(absolutely)s 4618(pri)s 6(vile)k 3(ged)k +5636(subsystems)s 8831(20)s 0 1473(6.4.)m 1200(Do)s 1546(not)s 1912(gi)s 6(v)k 3(e)k 2371(a)s 3(w)k 2(ay)k 2925(e)s 3(xcessi)k 6(v)k 3(e)k 3885(pri)s 6(vile)k 3(ge)k 4781(to)s gsave -5020 2005 translate +5020 1527 translate 0.6953 1.0000 scale 240 fnt31 0 -52(userv)m grestore 5520(-using)s 6171(f)s 2(acilities)k -8831(20)s 0 1713(6.4.)m gsave -1200 1767 translate -0.6953 1.0000 scale -240 fnt31 0 -52(userv)m -grestore -1760(is)s -1970(not)s 2336(a)s 2502(replacement)s 3729(for)s gsave -4067 1767 translate -0.6953 1.0000 scale -240 fnt31 -0 -52(really)m -grestore -4727(and)s gsave -5131 1767 translate -0.6953 1.0000 scale -240 fnt31 0 -52(sudo)m -grestore -8851(21)s -0 1474(6.5.)m 1200(Don')s 4(t)k 1814(gi)s 6(v)k 3(e)k -2273(access)s 2934(to)s 3173(general-purpose)s 4769(utilities)s 8851(21)s -0 52(User)m 511(service)s 1243(daemon)s 2058(and)s 2462(client)s -3052(speci\207cation)s 8611(1.0.1)s +8831(20)s 0 52(User)m 511(service)s 1243(daemon)s 2058(and)s +2462(client)s 3052(speci\207cation)s 8611(1.0.1)s grestore grestore @@ -410,6 +391,7 @@ showpage %%BeginPageSetup %%PageResources: font Times-Roman %%+ font Times-Bold +%%+ font Courier-Bold /pgsave save def 0.0500 dup scale 10 setlinewidth %%EndPageSetup @@ -435,7 +417,29 @@ gsave gsave 0 LoutMargSet grestore -240 fnt84 0 13842(2)m 240 fnt82 0 52(1.0.1)m 4809(User)s +240 fnt84 0 13842(2)m 240 fnt82 0 13252(6.5.)m gsave +1200 13306 translate +0.6953 1.0000 scale +240 fnt31 +0 -52(userv)m +grestore +1760(can)s 2149(often)s 2697(replace)s gsave +3442 13306 translate +0.6953 1.0000 scale +240 fnt31 +0 -52(sudo)m +grestore +3842(,)s 3949(b)s 4(ut)k 4311(not)s +gsave +4677 13306 translate +0.6953 1.0000 scale +240 fnt31 0 -52(really)m +grestore +8851(21)s 0 13014(6.6.)m 1200(Error)s +1763(handling)s 2654(and)s 3058(input)s 3610(streams)s 4390(\(e)s 3(g)k +4745(stdin\))s 8832(22)s 0 12776(6.7.)m 1200(Don')s 4(t)k +1814(gi)s 6(v)k 3(e)k 2273(access)s 2934(to)s +3173(general-purpose)s 4769(utilities)s 8832(22)s 0 52(1.0.1)m 4809(User)s 5320(service)s 6052(daemon)s 6867(and)s 7271(client)s 7861(speci\207cation)s grestore @@ -5154,8 +5158,8 @@ grestore 2309(and)s 2935(notes)s 3765(on)s 4204(use)s grestore gsave -0 11649 translate -240 fnt82 9066 670 0 670 240 240 60 LoutGraphic +0 11650 translate +240 fnt82 9066 669 0 669 240 240 60 LoutGraphic gsave newpath 0 ysize 0.3 ft sub moveto xsize 0 rlineto @@ -5164,148 +5168,191 @@ xsize neg 0 rlineto closepath fill grestore 320 fnt84 -0 66(6.1.)m 628(Standard)s 1977(ser)s 3(vices)k 3110(and)s -3697(dir)s 5(ectory)k 5025(management)s -grestore -240 fnt82 0 11187(In)m -250(later)s 726(v)s 3(ersions)k 1565(of)s 1829(this)s -2219(speci\207cation)s 3477(standard)s 4339(service)s 5064(names)s 5720(and)s -6117(interf)s 2(aces)k 7087(for)s 7418(common)s 8306(services)s -0 10947(such)m 496(as)s 746(mail)s 1225(deli)s 6(v)k 3(ery)k -2053(and)s 2457(WWW)s 3193(CGI)s 3661(scripts)s 4335(will)s -4761(be)s 5043(speci\207ed.)s gsave -0 10593 translate +0 66(6.1.)m 628(Examples)s +grestore +240 fnt82 0 11188(The)m 428(companion)s +1549(package,)s gsave +2440 11242 translate +0.6953 1.0000 scale +240 fnt31 0 -52(userv\211utils)m +grestore +3541(,)s 3648(contains)s +4496(a)s 4662(selection)s 5568(of)s 5839(e)s 3(xample)k +6702(services,)s 7578(some)s 8139(of)s 8410(which)s 0 10948(are)m +347(useful)s 986(tools)s 1502(in)s 1745(their)s 2242(o)s 6(wn)k +2706(right.)s 3261(See)s 3662(the)s gsave +4010 11002 translate +0.6953 1.0000 scale +240 fnt31 0 -52(README)m + +grestore +4670(in)s 4913(its)s 5189(top-le)s 6(v)k 3(el)k +6084(directory)s 7000(for)s 7338(details.)s 9066 670 0 670 240 240 60 0 9924 LoutGr2 +newpath 0 ysize 0.3 ft sub moveto +xsize 0 rlineto +0 0.1 ft rlineto +xsize neg 0 rlineto +closepath fill +grestore +320 fnt84 0 66(6.2.)m +628(Standard)s 1977(ser)s 3(vices)k 3110(and)s 3697(dir)s 5(ectory)k +5025(management)s +grestore +0 9462(In)m 250(later)s 726(v)s 3(ersions)k +1565(of)s 1829(this)s 2219(speci\207cation)s 3477(standard)s 4339(service)s +5064(names)s 5720(and)s 6117(interf)s 2(aces)k 7087(for)s +7418(common)s 8306(services)s 0 9222(such)m 496(as)s 746(mail)s +1225(deli)s 6(v)k 3(ery)k 2053(and)s 2457(WWW)s +3193(CGI)s 3661(scripts)s 4335(may)s 4801(be)s 5083(speci\207ed.)s +gsave +0 8868 translate 0.6953 1.0000 scale 240 fnt31 0 -52(userv)m grestore -500 10539(-us)m -783(ing)s 1142(ap)s 1361(pli)s 1607(ca)s 1819(tions)s -2335(and)s 2739(sys)s 3036(tem)s 3454(ser)s 3732(vices)s -4274(which)s 4916(hide)s gsave -5384 10593 translate +500 8814(-us)m 783(ing)s 1142(ap)s +1361(pli)s 1607(ca)s 1819(tions)s 2334(and)s 2737(sys)s +3034(tem)s 3451(ser)s 3729(vices)s 4270(which)s 4911(hide)s +gsave +5379 8868 translate 0.6953 1.0000 scale 240 fnt31 0 -52(userv)m grestore -5944(be)s -6166(hind)s 6650(wrap)s 7121(per)s 7486(scripts)s 8160(may)s -0 10299(need)m 510(to)s 749(store)s 1269(in)s 1452(for)s -1730(ma)s 2022(tion)s 2451(in)s 2694(the)s 3042(user')s 13(s)k -3650(\207lespace)s 4542(to)s 4781(pre)s 5082(serv)s 3(e)k -5639(the)s 5987(cor)s 6292(rect)s 6709(place)s 7209(ment)s -7747(of)s 8018(the)s 8366(se)s 8561(-)s 0 10059(cu)m -221(ri)s 360(ty)s 600(perim)s 1157(iters.)s 1671(Such)s -2207(ap)s 2426(pli)s 2672(ca)s 2884(tions)s 3400(should)s -4097(usu)s 4425(al)s 4592(ly)s 4832(do)s 5125(so)s -5391(in)s 5634(a)s 5800(di)s 5980(rec)s 6264(to)s -6443(ry)s 6696(\(cre)s 7062(at)s 7234(ed)s 7518(by)s -7812(them\))s gsave -0 9873 translate -0.6953 1.0000 scale -240 fnt31 0 -52(~/.userv/.servdata/)m gsave -2736 0 translate +5938(be)s 6160(hind)s 6643(wrap)s +7114(per)s 7478(scripts)s 8151(may)s 8616(need)s 0 8574(to)m +225(store)s 731(in)s 914(for)s 1192(ma)s 1484(tion)s +1899(in)s 2128(the)s 2462(user')s 13(s)k 3056(\207lespace)s +3934(to)s 4159(pre)s 4460(serv)s 3(e)k 5003(the)s +5337(cor)s 5642(rect)s 6045(place)s 6545(ment)s 7069(of)s +7326(the)s 7660(se)s 7855(cu)s 8076(ri)s 8215(ty)s +8441(perim)s 8998(-)s 0 8334(iters.)m 514(Such)s 1050(ap)s +1269(pli)s 1515(ca)s 1727(tions)s 2243(should)s 2940(usu)s +3268(al)s 3435(ly)s 3675(do)s 3968(so)s 4234(in)s +4477(a)s 4643(di)s 4823(rec)s 5107(to)s 5286(ry)s +5539(\(cre)s 5905(at)s 6077(ed)s 6361(by)s 6655(them\))s +gsave +7261 8388 translate +0.6953 1.0000 scale +240 fnt31 0 -52(~/.userv/)m gsave +1296 0 translate 1.4219 1.0000 scale -240 fnt83 0 -52(service)m +240 fnt83 0 -52(service)m +grestore grestore +8823(,)s +0 8094(where)m 240 fnt83 640 8096(ser)m 937(vice)s 240 fnt82 +1374 8094(is)m 1584(the)s 1932(ser)s 2210(vice)s 2664(name)s +3238(or)s 3497(ap)s 3716(pli)s 3962(ca)s 4174(tion)s +4603(in)s 4846(ques)s 5276(tion.)s 0 7686(If)m 230(desired,)s +1027(a)s 1193(dot-directory)s 2494(inside)s gsave +3121 7740 translate +0.6953 1.0000 scale +240 fnt31 0 -52(~/.userv)m grestore -2563 9819(,)m 2670(where)s 240 fnt83 3310 9821(ser)m 3607(vice)s -240 fnt82 4044 9819(is)m 4254(the)s 4602(ser)s 4880(vice)s -5334(name)s 5908(or)s 6167(ap)s 6386(pli)s 6632(ca)s -6844(tion)s 7273(in)s 7516(ques)s 7946(tion.)s 0 9411(The)m -428(use)s 803(of)s 1074(a)s 1240(dot-directory)s 2541(inside)s +3982(may)s 4448(be)s 4730(used)s 5227(to)s 5466(a)s 4(v)k 4(oid)k +6048(the)s 6396(user)s 6854(becoming)s 7851(confused)s 8773(by)s +0 7446(\207nding)m 724(parts)s 1231(of)s 1493(a)s 1651(semi-pri)s 6(vile)k 3(ged)k +3190(application')s 13(s)k 4454(internal)s 5230(state)s 5714(in)s +5949(their)s 6437(\207lespace,)s 7372(and/or)s 8034(discourage)s 0 7206(them)m +538(from)s 1062(\207ddling)s 1860(with)s 2342(and)s 2746(thus)s +3196(corrupting)s 4245(it.)s 0 6798(Ho)m 6(we)k 6(v)k 3(er)k 9(,)k gsave -3168 9465 translate +960 6852 translate 0.6953 1.0000 scale -240 fnt31 0 -52(~/.userv)m +240 fnt31 0 -52(userv)m grestore -4029(will)s 4455(hopefully)s 5426(a)s 4(v)k 4(oid)k -6008(the)s 6356(user)s 6814(becoming)s 7811(confused)s 0 9171(by)m -294(\207nding)s 1026(parts)s 1541(of)s 1812(a)s 1978(semi-pri)s 6(vile)k 3(ged)k -3526(application')s 13(s)k 4798(internal)s 5582(state)s 6075(in)s -6318(their)s 6815(\207lespace,)s 7758(and)s 8162(or)s 0 8931(discourage)m -1092(them)s 1630(from)s 2154(\207ddling)s 2952(with)s 3434(and)s -3838(thus)s 4288(corrupting)s 5337(it.)s 5573(\(Note)s 6173(that)s -6591(such)s 7087(applications)s 8293(should)s 0 8691(of)m 271(course)s -951(not)s 1317(rely)s 1742(for)s 2080(their)s 2577(global)s -3230(inte)s 3(grity)k 4090(on)s 4387(the)s 4735(inte)s 3(grity)k -5595(of)s 5866(the)s 6214(data)s 6672(on)s 6969(the)s -7317(user')s 13(s)k 7925(side)s 8366(of)s 8637(the)s -0 8451(security)m 810(boundary)s 15(.\))k 9066 670 0 670 240 240 60 0 7427 LoutGr2 +1520(applications)s 2726(should)s 3423(of)s +3694(course)s 4374(not)s 4740(rely)s 5165(for)s 5503(their)s +6000(global)s 6653(inte)s 3(grity)k 7513(and)s 7917(security)s +8727(on)s 0 6558(the)m 348(inte)s 3(grity)k 1208(of)s +1479(the)s 1827(data)s 2285(on)s 2582(the)s 2930(user')s 13(s)k +3538(side)s 3979(of)s 4250(the)s 4598(security)s 5408(boundary)s 15(.)k +9066 670 0 670 240 240 60 0 5534 LoutGr2 newpath 0 ysize 0.3 ft sub moveto xsize 0 rlineto 0 0.1 ft rlineto xsize neg 0 rlineto closepath fill grestore -320 fnt84 0 66(6.2.)m -628(Reducing)s 1997(the)s 2497(number)s 3655(of)s 4018(absolutely)s -5474(pri)s 3(vileged)k 6908(subsystems)s +320 fnt84 0 66(6.3.)m 628(Reducing)s 1997(the)s 2497(number)s +3655(of)s 4018(absolutely)s 5474(pri)s 3(vileged)k 6908(subsystems)s + grestore -0 6965(Currently)m 970(most)s -1495(Unix)s 2029(systems)s 2837(ha)s 4(v)k 3(e)k +0 5072(Currently)m 970(most)s 1495(Unix)s 2029(systems)s 2837(ha)s 4(v)k 3(e)k 3338(man)s 3(y)k 3921(components)s 5129(which)s 5771(need)s 6281(to)s 6520(run)s 6896(as)s 7146(root,)s 7638(e)s 6(v)k 3(en)k -8138(though)s 0 6725(most)m 525(of)s 796(their)s 1293(acti)s 6(vity)k +8138(though)s 0 4832(most)m 525(of)s 796(their)s 1293(acti)s 6(vity)k 2057(does)s 2547(not)s 2913(strictly)s 3629(require)s 4361(it.)s 4597(This)s 5073(gi)s 6(v)k 3(es)k 5620(rise)s 6020(to)s 6259(a)s 6425(lar)s 4(ge)k 6954(and)s -7358(comple)s 3(x)k 8234(body)s 8768(of)s 0 6485(code)m +7358(comple)s 3(x)k 8234(body)s 8768(of)s 0 4592(code)m 508(which)s 1150(must)s 1675(be)s 1957(trusted)s 2665(with)s 3147(the)s 3495(security)s 4305(of)s 4576(the)s 4924(system.)s -0 6077(Using)m gsave -625 6131 translate +0 4184(If)m 230(the)s 3(y)k 693(were)s 1213(to)s +1452(use)s gsave +1827 4238 translate 0.6953 1.0000 scale 240 fnt31 0 -52(userv)m grestore -1185(man)s 3(y)k -1768(of)s 2039(these)s 2586(subsystems)s 3727(no)s 4020(longer)s -4691(need)s 5201(an)s 3(y)k 5598(unusual)s 6398(pri)s 6(vile)k 3(ge.)k +2327(,)s 2434(man)s 3(y)k +3017(of)s 3288(these)s 3835(sub)s 4161(sys)s 4458(tems)s +4960(w)s 2(ould)k 5615(no)s 5908(longer)s 6579(need)s +7089(an)s 3(y)k 7486(un)s 7723(usu)s 8051(al)s +8278(pri)s 6(v)k 8652(-)s 0 3944(i)m 60(le)s 3(ge.)k gsave -0 5723 translate +0 3590 translate 0.6953 1.0000 scale 240 fnt31 0 -52(cron)m grestore -455 5669(and)m gsave -853 5723 translate +455 3536(and)m gsave +853 3590 translate 0.6953 1.0000 scale 240 fnt31 0 -52(at)m grestore 1053(,)s gsave -1154 5723 translate +1154 3590 translate 0.6953 1.0000 scale 240 fnt31 0 -52(lpr)m grestore 1509(and)s 1907(the)s 2249(system')s 13(s)k 3117(mail)s 3591(transfer)s 4373(agent)s 4945(\()s gsave -5018 5723 translate +5018 3590 translate 0.6953 1.0000 scale 240 fnt31 0 -52(sendmail)m grestore 5819(,)s gsave -5921 5723 translate +5921 3590 translate 0.6953 1.0000 scale 240 fnt31 0 -52(smail)m grestore 6421(,)s gsave -6522 5723 translate +6522 3590 translate 0.6953 1.0000 scale 240 fnt31 0 -52(exim)m grestore 6976(or)s 7229(the)s 7572(lik)s 2(e\))k 8050(all)s 8337(f)s 2(all)k -8701(into)s 0 5429(this)m 396(cate)s 3(gory)k 15(.)k -9066 670 0 670 240 240 60 0 4405 LoutGr2 +8701(into)s 0 3296(this)m 396(cate)s 3(gory)k 15(,)k +1308(though)s gsave +2031 3350 translate +0.6953 1.0000 scale +240 fnt31 0 -52(userv)m +grestore +2531(-based)s 3213(v)s 3(ersions)k +4058(of)s 4329(these)s 4876(programs)s 5830(are)s 6177(not)s +6543(currently)s 7459(a)s 4(v)k 6(ailable.)k 9066 670 0 670 240 240 60 0 2272 LoutGr2 newpath 0 ysize 0.3 ft sub moveto xsize 0 rlineto 0 0.1 ft rlineto xsize neg 0 rlineto closepath fill grestore -320 fnt84 0 66(6.3.)m 628(Do)s 1092(not)s 1615(gi)s 3(v)k 3(e)k +320 fnt84 +0 66(6.4.)m 628(Do)s 1092(not)s 1615(gi)s 3(v)k 3(e)k 2234(away)s 3019(excessi)s 3(v)k 3(e)k 4312(pri)s 3(vilege)k 5571(to)s gsave 5910 139 translate @@ -5315,57 +5362,98 @@ grestore 6577(-using)s 7484(facilities)s grestore -0 3943(There)m 613(is)s 823(a)s 989(danger)s 1700(that)s +0 1810(There)m 613(is)s 823(a)s 989(danger)s 1700(that)s 2118(people)s 2812(reimplementing)s 4378(the)s 4726(f)s 2(acilities)k 5595(I)s 5730(mention)s 6571(abo)s 3(v)k 3(e)k 7193(using)s gsave -7765 3997 translate +7765 1864 translate 0.6953 1.0000 scale 240 fnt31 0 -52(userv)m grestore -8325(will)s 0 3703(discard)m +8325(will)s 0 1570(discard)m 731(much)s 1303(of)s 1557(the)s 1888(security)s 2680(bene\207t)s 3374(by)s 3651(using)s 4206(a)s 4355(nai)s 6(v)k 3(e)k 4902(implementation)s 6442(technique.)s 7459(This)s 7918(will)s 8326(become)s -0 3463(clearer)m 708(with)s 1190(an)s 1473(e)s 3(xample:)k -0 3055(Consider)m 924(the)s gsave -1272 3109 translate +0 1330(clearer)m 708(with)s 1190(an)s 1473(e)s 3(xample:)k +0 922(Consider)m 924(the)s gsave +1272 976 translate 0.6953 1.0000 scale 240 fnt31 0 -52(lpr)m grestore 1632(program.)s 2546(In)s 2802(current)s 3538(systems)s 4346(this)s 4742(needs)s 5338(to)s 5577(ha)s 4(v)k 3(e)k 6078(an)s -6361(absolutely)s 7398(pri)s 6(vile)k 3(ged)k 0 2815(component)m -1124(in)s 1367(order)s 1931(to)s 2170(support)s 2948(delayed)s -3750(printing)s 4560(without)s 5351(cop)s 2(ying:)k 6227(when)s -6803(the)s 7151(user)s 7609(queues)s 8325(a)s 8491(\207le)s -0 2575(to)m 239(be)s 521(printed)s 1256(the)s 1604(\207lename)s -2483(is)s 2693(stored)s 3335(in)s 3578(the)s 3926(print)s -4437(queue,)s 5116(rather)s 5732(than)s 6201(a)s 6367(cop)s 2(y)k +6361(absolutely)s 7398(pri)s 6(vile)k 3(ged)k 0 52(1.0.1)m +4809(User)s 5320(service)s 6052(daemon)s 6867(and)s 7271(client)s +7861(speci\207cation)s +grestore + +grestore + +pgsave restore +showpage + +%%Page: 21 21 +%%BeginPageSetup +%%PageResources: font Times-Roman +%%+ font Times-Bold +%%+ font Courier-Bold +%%+ font Times-Italic +/pgsave save def +0.0500 dup scale 10 setlinewidth +%%EndPageSetup +gsave +0 0 translate +240 fnt82 0.0 0.0 0.0 setrgbcolor 11900 16840 0 16840 240 240 60 LoutGraphic +gsave +LoutPageSet +grestore +gsave +0 16840 translate +0.0000 rotate + +grestore + +grestore +gsave +0 16840 translate +0.0000 rotate +gsave +1417 -15423 translate +240 fnt82 0.0 0.0 0.0 setrgbcolor 9066 14006 0 14006 240 240 60 LoutGraphic +gsave +1 LoutMargSet +grestore +240 fnt84 8839 13842(21)m 240 fnt82 0 13254(component)m 1124(in)s +1367(order)s 1931(to)s 2170(support)s 2948(delayed)s 3750(printing)s +4560(without)s 5351(cop)s 2(ying:)k 6227(when)s 6803(the)s +7151(user)s 7609(queues)s 8325(a)s 8491(\207le)s 0 13014(to)m +239(be)s 521(printed)s 1256(the)s 1604(\207lename)s 2483(is)s +2693(stored)s 3335(in)s 3578(the)s 3926(print)s 4437(queue,)s +5116(rather)s 5732(than)s 6201(a)s 6367(cop)s 2(y)k 6885(of)s 7156(it,)s 7395(and)s 7799(the)s 8147(printer)s -0 2335(daemon)m 813(accesses)s 1671(the)s 2016(\207le)s 2375(directly)s +0 12774(daemon)m 813(accesses)s 1671(the)s 2016(\207le)s 2375(directly)s 3155(when)s 3729(it)s 3918(is)s 4126(ready)s 4708(to)s 4945(print)s 5453(the)s 5799(job)s 9(.)k 6197(In)s 6451(order)s 7012(that)s 7428(the)s 7773(user)s 8229(can)s -8615(print)s 0 2095(\207les)m 449(which)s 1091(are)s 1438(not)s +8615(print)s 0 12534(\207les)m 449(which)s 1091(are)s 1438(not)s 1804(w)s 2(orld-readable)k 3304(the)s 3652(daemon)s 4467(is)s 4677(gi)s 6(v)k 3(en)k 5257(root)s 5702(pri)s 6(vile)k 3(ge)k 6598(so)s 6864(that)s 7282(it)s 7474(can)s 7863(open)s -8386(the)s 8734(\207le)s 0 1855(in)m 243(the)s 591(conte)s 3(xt)k +8386(the)s 8734(\207le)s 0 12294(in)m 243(the)s 591(conte)s 3(xt)k 1352(of)s 1623(the)s 1971(user)s 9(,)k 2467(rather)s -3083(than)s 3552(its)s 3828(o)s 6(wn.)k 0 1447(A)m +3083(than)s 3552(its)s 3828(o)s 6(wn.)k 0 11886(A)m 212(simple-minded)s 1686(approach)s 2602(to)s 2823(con)s 9(v)k 3(erting)k 3868(this)s 4246(scheme)s 5001(to)s 5222(use)s gsave -5579 1501 translate +5579 11940 translate 0.6953 1.0000 scale 240 fnt31 0 -52(userv)m grestore 6120(might)s 6720(in)s 9(v)k 4(olv)k 3(e)k -7460(gi)s 6(ving)k 8101(the)s 8430(printer)s 0 1207(daemon)m +7460(gi)s 6(ving)k 8101(the)s 8430(printer)s 0 11646(daemon)m 811(\(the)s gsave -1233 1261 translate +1233 11700 translate 0.6953 1.0000 scale 240 fnt31 0 -52(lp)m grestore @@ -5373,278 +5461,206 @@ grestore 2354(ability)s 3013(to)s 3248(read)s 3712(the)s 4055(\207le)s 4412(by)s 4701(allo)s 6(wing)k 5581(them)s 6114(to)s 6349(run)s gsave -6720 1261 translate +6720 11700 translate 0.6953 1.0000 scale 240 fnt31 0 -52(cat)m grestore 7076(\(or)s 7409(a)s -7570(special-purpose)s 0 967(\207le-reading)m 1140(program\))s 2063(as)s 2299(an)s 3(y)k +7570(special-purpose)s 0 11406(\207le-reading)m 1140(program\))s 2063(as)s 2299(an)s 3(y)k 2681(user)s 13(.)k 3155(The)s gsave -3569 1021 translate +3569 11460 translate 0.6953 1.0000 scale 240 fnt31 0 -52(lpr)m grestore 3914(program)s 4769(w)s 2(ould)k 5410(use)s 5770(a)s gsave -5922 1021 translate +5922 11460 translate 0.6953 1.0000 scale 240 fnt31 0 -52(userv)m grestore 6467(service)s 7184(to)s 7409(store)s -7914(the)s 8247(\207lename)s 0 727(in)m 243(the)s 591(printer)s +7914(the)s 8247(\207lename)s 0 11166(in)m 243(the)s 591(printer)s 1287(daemon')s 13(s)k 2255(queues,)s 3027(and)s 3431(the)s 3779(daemon)s 4594(w)s 2(ould)k 5249(read)s 5718(the)s 6066(\207le)s 6427(later)s 6910(when)s 7486(it)s 7678(felt)s -8055(lik)s 2(e)k 8467(it.)s 0 52(1.0.1)m 4809(User)s -5320(service)s 6052(daemon)s 6867(and)s 7271(client)s 7861(speci\207cation)s - -grestore - -grestore - -pgsave restore -showpage - -%%Page: 21 21 -%%BeginPageSetup -%%PageResources: font Times-Roman -%%+ font Times-Bold -%%+ font Courier-Bold -%%+ font Times-Italic -/pgsave save def -0.0500 dup scale 10 setlinewidth -%%EndPageSetup -gsave -0 0 translate -240 fnt82 0.0 0.0 0.0 setrgbcolor 11900 16840 0 16840 240 240 60 LoutGraphic -gsave -LoutPageSet -grestore -gsave -0 16840 translate -0.0000 rotate - -grestore - -grestore -gsave -0 16840 translate -0.0000 rotate -gsave -1417 -15423 translate -240 fnt82 0.0 0.0 0.0 setrgbcolor 9066 14006 0 14006 240 240 60 LoutGraphic -gsave -1 LoutMargSet -grestore -240 fnt84 8839 13842(21)m 240 fnt82 0 13254(Ho)m 6(we)k 6(v)k 3(er)k 9(,)k +8055(lik)s 2(e)k 8467(it.)s 0 10758(Ho)m 6(we)k 6(v)k 3(er)k 9(,)k 960(this)s 1356(w)s 2(ould)k 2011(allo)s 6(w)k 2590(the)s 2938(printer)s 3634(daemon)s 4449(to)s 4688(read)s 5157(an)s 3(y)k 5554(\207le)s 5915(on)s 6212(the)s -6560(system,)s 7331(whether)s 8161(or)s 8420(not)s 0 13014(someone)m +6560(system,)s 7331(whether)s 8161(or)s 8420(not)s 0 10518(someone)m 907(had)s 1311(ask)s 2(ed)k 1912(for)s 2250(it)s 2442(to)s 2681(be)s 2963(printed.)s 3744(Since)s 4331(man)s 3(y)k 4914(\207les)s 5363(will)s 5789(contain)s 6550(passw)s 2(ords)k -7596(and)s 8000(other)s 0 12774(security-critical)m 1551(information)s 2736(this)s +7596(and)s 8000(other)s 0 10278(security-critical)m 1551(information)s 2736(this)s 3132(is)s 3342(nearly)s 3993(as)s 4243(bad)s 4647(as)s 4897(gi)s 6(ving)k 5556(the)s 5904(daemon)s 6719(root)s -7164(access)s 7825(in)s 8068(the)s 8416(\207rst)s 0 12534(place.)m +7164(access)s 7825(in)s 8068(the)s 8416(\207rst)s 0 10038(place.)m 608(An)s 3(y)k 1072(security)s 1882(holes)s 2438(in)s 2681(the)s 3029(print)s 3540(serv)s 3(er)k 4180(which)s 4822(allo)s 6(w)k 5401(a)s 5567(user)s 6025(to)s 6264(e)s 3(x)k 3(ecute)k 7044(commands)s 8132(as)s 8382(the)s gsave -8730 12588 translate +8730 10092 translate 0.6953 1.0000 scale 240 fnt31 0 -52(lp)m grestore -0 12294(user)m 458(will)s +0 9798(user)m 458(will)s 884(gi)s 6(v)k 3(e)k 1343(the)s 1691(user)s 2149(the)s 2497(ability)s 3161(to)s 3400(read)s 3869(an)s 3(y)k -4266(\207le)s 4627(on)s 4924(the)s 5272(system.)s 0 11886(Instead,)m +4266(\207le)s 4627(on)s 4924(the)s 5272(system.)s 0 9390(Instead,)m 790(it)s 975(is)s 1178(necessary)s 2153(to)s 2385(k)s 2(eep)k 2881(a)s 3040(record)s 3700(of)s 3964(which)s 4599(\207les)s 5040(the)s 5381(daemon)s 6189(has)s 6552(been)s 7053(ask)s 2(ed)k -7647(to)s 7879(print)s 240 fnt83 8382 11888(outside)m 240 fnt82 -0 11646(the)m 348(control)s 1080(of)s 1351(the)s 1699(print)s +7647(to)s 7879(print)s 240 fnt83 8382 9392(outside)m 240 fnt82 +0 9150(the)m 348(control)s 1080(of)s 1351(the)s 1699(print)s 2210(daemon.)s 3072(This)s 3548(record)s 4216(could)s 4806(be)s 5088(k)s 2(ept)k 5558(by)s 5852(a)s 6018(ne)s 6(w)k -6465(root-pri)s 6(vile)k 3(ged)k 7947(component,)s 0 11406(b)m 4(ut)k +6465(root-pri)s 6(vile)k 3(ged)k 7947(component,)s 0 8910(b)m 4(ut)k 352(this)s 737(is)s 936(not)s 1291(necessary:)s 2315(the)s 2652(record)s 3309(of)s 3569(which)s 4200(\207les)s 4638(a)s 4794(user)s 5241(has)s 5600(ask)s 2(ed)k 6190(to)s 6418(be)s 6689(printed)s 7413(can)s 7791(be)s 8062(k)s 2(ept)k -8521(under)s 0 11166(the)m 348(control)s 1080(of)s 1351(the)s +8521(under)s 0 8670(the)m 348(control)s 1080(of)s 1351(the)s 1699(user)s 2157(in)s 2400(question.)s 3315(The)s 3743(submission)s 4877(program)s gsave -5747 11220 translate +5747 8724 translate 0.6953 1.0000 scale 240 fnt31 0 -52(lpr)m grestore 6107(will)s 6533(mak)s 2(e)k 7105(a)s 7271(record)s 7939(in)s 8182(an)s 8465(area)s -0 10926(under)m 605(the)s 953(user')s 13(s)k 1561(control)s +0 8430(under)m 605(the)s 953(user')s 13(s)k 1561(control)s 2293(before)s 2959(communicating)s 4500(with)s 4982(the)s 5330(print)s 5841(serv)s 3(er)k 9(,)k 6519(and)s 6923(the)s 7271(print)s 7782(serv)s 3(er)k 8422(w)s 2(ould)k -0 10686(be)m 279(gi)s 6(v)k 3(en)k 855(the)s +0 8190(be)m 279(gi)s 6(v)k 3(en)k 855(the)s 1199(ability)s 1859(to)s 2094(run)s 2466(a)s 2628(special)s 3342(\207le-reading)s 4493(program)s 5359(which)s 5997(w)s 2(ould)k 6648(only)s 7124(allo)s 6(w)k 7699(\207les)s 8144(to)s -8379(be)s 8657(read)s 0 10446(which)m 642(were)s 1162(listed)s +8379(be)s 8657(read)s 0 7950(which)m 642(were)s 1162(listed)s 1737(in)s 1980(the)s 2328(user')s 13(s)k 2936(\207le)s 3297(of)s 3568(things)s 4204(the)s 3(y')k 12(d)k -4858(ask)s 2(ed)k 5459(to)s 5698(print.)s 0 10038(No)m 6(w)k +4858(ask)s 2(ed)k 5459(to)s 5698(print.)s 0 7542(No)m 6(w)k 502(security)s 1300(holes)s 1844(in)s 2075(most)s 2588(of)s 2846(the)s 3182(printing)s 3980(system)s 4692(do)s 4973(not)s 5327(critically)s 6215(af)s 6(fect)k 6799(the)s 7135(security)s -7933(of)s 8192(the)s 8527(entire)s 0 9798(system:)m 770(the)s 3(y)k +7933(of)s 8192(the)s 8527(entire)s 0 7302(system:)m 770(the)s 3(y)k 1233(only)s 1713(allo)s 6(w)k 2292(the)s 2640(attack)s 2(er)k 3453(to)s 3692(read)s 4161(and)s 4565(interfere)s 5428(with)s 5910(print)s 6421(jobs.)s 6924(Bugs)s 7468(in)s 7711(the)s -8059(programs)s 0 9558(run)m 373(by)s 664(the)s 1009(print)s +8059(programs)s 0 7062(run)m 373(by)s 664(the)s 1009(print)s 1517(serv)s 3(er)k 2154(to)s 2390(read)s 2856(users')s 3456(\207les)s 3902(\(and)s 4382(to)s 4618(remo)s 3(v)k 3(e)k 5382(entries)s 6066(from)s 6587(the)s 6932(list)s 7280(of)s -7548(\207les)s 7994(when)s 8567(it)s 8756(has)s 0 9318(done)m +7548(\207les)s 7994(when)s 8567(it)s 8756(has)s 0 6822(done)m 522(with)s 1004(them\))s 1610(will)s 2036(still)s 2448(be)s 2730(serious,)s 3514(b)s 4(ut)k 3876(this)s 4272(program)s -5142(can)s 5531(be)s 5813(quite)s 6347(simple.)s 0 8910(Similar)m +5142(can)s 5531(be)s 5813(quite)s 6347(simple.)s 0 6414(Similar)m 762(considerations)s 2194(apply)s 2780(to)s 3019(man)s 3(y)k gsave -3602 8964 translate +3602 6468 translate 0.6953 1.0000 scale 240 fnt31 0 -52(userv)m grestore 4102(-based)s 4784(v)s 3(ersions)k 5629(of)s 5900(f)s 2(acilities)k 6769(which)s 7411(currently)s -8327(run)s 0 8670(as)m 250(root.)s 0 8262(It)m 198(is)s +8327(run)s 0 6174(as)m 250(root.)s 0 5766(It)m 198(is)s 401(debatable)s 1366(whether)s 2189(the)s 2530(user)s 4(-controlled)k 4023(state)s 4509(should)s 5199(be)s 5474(k)s 2(ept)k 5937(in)s 6173(the)s 6514(user')s 13(s)k 7115(\207lespace)s -8000(\(in)s 8315(dot\207les,)s 0 8022(say\))m 440(or)s 692(k)s 2(ept)k +8000(\(in)s 8315(dot\207les,)s 0 5526(say\))m 440(or)s 692(k)s 2(ept)k 1155(in)s 1391(a)s 1550(separate)s 2381(area)s 2831(set)s 3149(aside)s 3688(for)s 4019(the)s 4360(purpose;)s 5223(ho)s 6(we)k 6(v)k 3(er)k 9(,)k 6123(using)s 6688(the)s 7029(user')s 13(s)k 7630(home)s -8210(directory)s 0 7782(\(and)m 468(probably)s 1357(creating)s 2164(a)s -2314(separate)s 3137(subdirectory)s 4370(of)s 4626(it)s 4802(as)s -5037(a)s 5187(dot\207le)s 5839(to)s 6062(contain)s 6808(man)s 3(y)k -7375(subsystems')s 8561(state\))s 0 7542(has)m 370(fe)s 6(wer)k -967(implications)s 2199(for)s 2537(the)s 2885(rest)s 3289(of)s -3560(the)s 3908(system)s 4632(and)s 5036(mak)s 2(es)k -5696(it)s 5888(entirely)s 6671(clear)s 7194(where)s 7834(the)s -8182(security)s 0 7302(boundaries)m 1101(lie.)s 9066 670 0 670 240 240 60 0 6278 LoutGr2 +8210(directory)s 0 5286(\(and)m 483(possibly)s 1335(creating)s 2157(a)s +2323(separate)s 3161(subdirectory)s 4410(of)s 4681(it)s 4873(as)s +5123(a)s 5289(dot\207le)s 5956(to)s 6195(contain)s 6956(subsystem)s +8013(state\))s 0 5046(has)m 370(fe)s 6(wer)k 967(implications)s +2199(for)s 2537(the)s 2885(rest)s 3289(of)s 3560(the)s +3908(system)s 4632(and)s 5036(mak)s 2(es)k 5696(it)s +5888(entirely)s 6671(clear)s 7194(where)s 7834(the)s 8182(security)s +0 4806(boundaries)m 1101(lie.)s 9066 670 0 670 240 240 60 0 3782 LoutGr2 newpath 0 ysize 0.3 ft sub moveto xsize 0 rlineto 0 0.1 ft rlineto xsize neg 0 rlineto closepath fill grestore -320 fnt84 0 66(6.4.)m -gsave +320 fnt84 0 66(6.5.)m gsave 628 139 translate 0.6953 1.0000 scale -320 fnt31 0 -70(userv)m -grestore -1375(is)s 1659(not)s 2182(a)s -2419(r)s 5(eplacement)k 4178(f)s 8(or)k gsave -4655 139 translate -0.6953 1.0000 scale 320 fnt31 -0 -70(really)m -grestore -5536(and)s gsave -6123 139 translate -0.6953 1.0000 scale -320 fnt31 0 -70(sudo)m -grestore - +0 -70(userv)m grestore +1375(can)s 1929(often)s 2695(r)s 5(eplace)k gsave -0 5870 translate +3758 139 translate 0.6953 1.0000 scale -240 fnt31 -0 -52(userv)m +320 fnt31 0 -70(sudo)m grestore -560 5816(is)m 770(not)s 1136(intended)s 2018(as)s -2268(a)s 2434(general-purpose)s 4030(system)s 4754(administration)s 6191(tool)s -6618(with)s 7100(which)s 7742(system)s 0 5576(administrators)m 1398(can)s -1767(e)s 3(x)k 3(ecute)k 2528(pri)s 6(vile)k 3(ged)k -3526(programs)s 4461(when)s 5017(the)s 3(y)k 5461(need)s -5951(to.)s 6222(It)s 6407(is)s 6598(unsuitable)s 7617(for)s -7936(this)s 8312(purpose)s 0 5336(precisely)m 916(because)s 1729(it)s -1921(enforces)s 2781(a)s 2947(strong)s 3598(separation)s 4637(between)s -5491(the)s 5839(calling)s 6542(and)s 6946(the)s 7294(called)s -7922(program,)s 0 5096(which)m 642(is)s 852(undesirable)s 2010(in)s -2253(this)s 2649(conte)s 3(xt.)k 0 4688(Its)m 289(f)s 2(acilities)k -1158(for)s 1496(restricting)s 2516(acti)s 6(vities)k 3422(to)s -3661(running)s 4459(certain)s 5165(programs)s 6119(may)s 6585(at)s -6817(\207rst)s 7248(glance)s 7928(seem)s 8479(to)s 0 4420(pro)m 3(vide)k -769(similar)s 1476(functionality)s 2736(to)s gsave -2960 4474 translate -0.6953 1.0000 scale -240 fnt31 0 -52(sudo)m - -grestore -153 fnt82 3360 4509(1)m 240 fnt82 3420 4420(.)m 3509(Ho)s 6(we)k 6(v)k 3(er)k 9(,)k -4454(the)s 4787(separation)s 5811(mentioned)s 6864(abo)s 3(v)k 3(e)k -7471(is)s 7666(a)s 7817(problem)s 8659(here)s 0 4180(too,)m -413(particular)s 1387(for)s 1725(interaction)s 2803(-)s 2931(it)s -3123(can)s 3512(be)s 3794(hard)s 4277(for)s 4615(a)s -gsave -4781 4234 translate +4292(,)s 4444(b)s 6(ut)k +4978(not)s gsave +5501 139 translate 0.6953 1.0000 scale -240 fnt31 0 -52(userv)m -grestore -5341(service)s 6073(program)s 6943(to)s -7182(interact)s 7957(with)s 8439(its)s 8714(real)s 0 3940(caller)m -589(or)s 848(the)s 1196(user)s 1654(in)s 1897(question.)s -9066 670 0 670 240 240 60 0 2916 LoutGr2 -newpath 0 ysize 0.3 ft sub moveto -xsize 0 rlineto -0 0.1 ft rlineto -xsize neg 0 rlineto -closepath fill +320 fnt31 0 -70(really)m grestore -320 fnt84 0 66(6.5.)m 628(Don't)s 1488(gi)s 3(v)k 3(e)k -2107(access)s 3013(to)s 3352(general-pur)s 3(pose)k 5640(utilities)s grestore -0 2454(Do)m 346(not)s 712(specify)s 1456(general)s 2214(purpose)s -3028(programs)s 3982(lik)s 2(e)k gsave -4394 2508 translate +gsave +0 3374 translate 0.6953 1.0000 scale -240 fnt31 0 -52(mv)m +240 fnt31 0 -52(userv)m grestore -4654(or)s gsave -4913 2508 translate +559 3320(is)m 768(not)s 1133(in)s 1316(tend)s 1726(ed)s +2009(as)s 2258(a)s 2423(general-)s 3194(purpose)s 4007(sys)s +4304(tem)s 4721(ad)s 4945(min)s 5314(is)s 5464(tra)s +5715(tion)s 6143(tool)s 6569(with)s 7050(which)s 7691(sys)s +7988(tem)s 8405(ad)s 8629(min)s 8998(-)s 0 3080(is)m +150(tra)s 401(tors)s 801(can)s 1181(e)s 3(x)k +1399(e)s 1501(cute)s 1946(ar)s 2131(bi)s 2311(trary)s +2806(pro)s 3118(grams)s 3744(lik)s 2(e)k 4147(te)s 3(xt)k +4553(ed)s 4777(i)s 4837(tors)s 5236(as)s 5477(root)s +5913(\(or)s 6242(oth)s 6545(er)s 6781(sys)s 7078(tem)s +7487(users\))s 8097(when)s 8663(the)s 3(y)k 0 2840(need)m +501(to.)s 782(It)s 978(is)s 1179(un)s 1416(suit)s +1761(able)s 2205(for)s 2534(this)s 2921(pur)s 3240(pose)s +3726(pre)s 4027(cise)s 4394(ly)s 4625(be)s 4847(cause)s +5424(it)s 5607(en)s 5830(forces)s 6455(a)s 6612(strong)s +7254(sep)s 7566(a)s 7672(ra)s 7857(tion)s 8276(be)s +8498(tween)s 0 2600(the)m 348(call)s 687(ing)s 1046(and)s +1450(the)s 1798(called)s 2426(pro)s 2738(gram,)s 3336(which)s +3978(is)s 4188(un)s 4425(de)s 4647(sir)s 4885(able)s +5339(in)s 5582(this)s 5978(con)s 6321(te)s 3(xt.)k +0 2192(Ho)m 6(we)k 6(v)k 3(er)k 9(,)k +951(its)s 1217(use)s 1582(when)s 2148(restricted)s 3084(to)s +3313(running)s 4101(particular)s 5065(programs)s 6009(in)s 6243(particular)s +7207(w)s 2(ays)k 7738(is)s 7938(v)s 3(ery)k +8404(similar)s 0 1924(to)m 239(man)s 3(y)k 822(common)s +1717(uses)s 2180(of)s gsave +2451 1978 translate 0.6953 1.0000 scale -240 fnt31 0 -52(cat)m +240 fnt31 0 -52(sudo)m grestore -5273(in)s gsave -5516 2508 translate +153 fnt82 +2851 2013(1)m 240 fnt82 2911 1924(.)m gsave +3015 1978 translate 0.6953 1.0000 scale -240 fnt31 -0 -52(execute\211)m +240 fnt31 0 -52(userv)m + grestore -6377(directi)s 6(v)k 3(es)k 7347(without)s -8138(careful)s 0 2214(thought)m 792(about)s 1384(their)s 1881(ar)s 4(guments,)k -2980(and)s 3384(certainly)s 4273(not)s 4639(if)s gsave -4856 2268 translate +3575(is)s 3785(generally)s 4728(much)s 5317(better)s 5920(than)s +6389(restricted)s gsave +7334 1978 translate 0.6953 1.0000 scale -240 fnt31 -0 -52(no\211suppress\211args)m +240 fnt31 0 -52(sudo)m grestore -6518(is)s 6728(speci\207ed.)s 7682(If)s 7912(you)s -8327(do)s 8620(so)s 8886(it)s 0 1974(will)m 426(gi)s 6(v)k 3(e)k -885(the)s 1233(caller)s 1822(much)s 2411(more)s 2958(pri)s 6(vilige)k -3817(than)s 4286(you)s 4701(probably)s 5606(intend.)s 0 1566(It)m -205(is)s 415(a)s 581(shame)s 1248(that)s 1666(I)s -1801(ha)s 4(v)k 3(e)k 2302(to)s 2541(say)s -2914(this)s 3310(here,)s 3828(b)s 4(ut)k 4190(ine)s 3(xperienced)k -5586(administrators)s 7003(ha)s 4(v)k 3(e)k 7504(made)s -8078(similar)s 1134 0 0 0 240 240 60 0 1177 LoutGr2 +7734(,)s 7841(because)s +8654(it)s 0 1684(protects)m 796(the)s 1132(called)s 1748(program)s +2607(much)s 3184(more)s 3719(strongly)s 4545(from)s 5058(bad)s +5450(en)s 9(vironmental)k 6865(conditions)s 7902(set)s 8215(up)s +8496(by)s 8778(the)s 1134 0 0 0 240 240 60 0 1177 LoutGr2 0 0 moveto xsize 0 lineto stroke grestore @@ -5652,16 +5668,17 @@ grestore 122 fnt82 0 982(1)m gsave 58 955 translate 0.6953 1.0000 scale -192 fnt31 0 -42(sudo)m - +192 fnt31 +0 -42(sudo)m grestore -192 fnt82 425 912(is)m 593(a)s 726(program)s 1422(which)s -1936(allo)s 4(ws)k 2472(users)s 2905(to)s 3097(e)s 2(x)k 2(ecute)k -3723(certain)s 4289(programs)s 5052(as)s 5252(root,)s 5646(according)s -6444(to)s 6636(con\207guration)s 7703(\207les)s 8062(speci\207ed)s 8789(by)s -0 682(the)m 279(system)s 858(administrator)s 10(.)k 240 fnt82 -0 52(User)m 511(service)s 1243(daemon)s 2058(and)s 2462(client)s -3052(speci\207cation)s 8611(1.0.1)s +192 fnt82 425 912(is)m 593(a)s 726(program)s +1422(which)s 1936(allo)s 4(ws)k 2472(users)s 2905(to)s +3097(e)s 2(x)k 2(ecute)k 3723(certain)s 4289(programs)s +5052(as)s 5252(root,)s 5646(according)s 6444(to)s 6636(con\207guration)s +7703(\207les)s 8062(speci\207ed)s 8789(by)s 0 682(the)m 279(system)s +858(administrator)s 10(.)k 240 fnt82 0 52(User)m 511(service)s +1243(daemon)s 2058(and)s 2462(client)s 3052(speci\207cation)s 8611(1.0.1)s + grestore grestore @@ -5672,6 +5689,7 @@ showpage %%Page: 22 22 %%BeginPageSetup %%PageResources: font Times-Roman +%%+ font Times-Bold %%+ font Courier-Bold /pgsave save def 0.0500 dup scale 10 setlinewidth @@ -5698,14 +5716,148 @@ gsave gsave 0 LoutMargSet grestore -0 13844(??)m 0 13255(mistak)m 2(es)k 885(with)s 1367(programs)s +240 fnt84 0 13842(22)m 240 fnt82 0 13254(caller)m 13(.)k +604(Most)s 1140(programs)s 2077(that)s 2479(one)s 2864(might)s +3466(w)s 2(ant)k 3972(to)s 4195(run)s 4554(via)s +4890(restricted)s gsave +5818 13308 translate +0.6953 1.0000 scale +240 fnt31 0 -52(sudo)m +grestore +6218(,)s 6309(ha)s 4(v)k 3(e)k +6793(not)s 7143(been)s 7635(designed)s 8528(to)s 8750(run)s +0 13014(in)m 243(a)s 409(partially)s 1258(hostile)s 1951(en)s 9(vironment.)k +gsave +3255 13068 translate +0.6953 1.0000 scale +240 fnt31 0 -52(userv)m +grestore +3815(allo)s 6(ws)k 4484(these)s +5031(programs)s 5985(to)s 6224(be)s 6506(run)s 6882(in)s +7125(a)s 7291(safer)s 7814(en)s 9(vironment)k 0 12774(and)m +404(should)s 1101(be)s 1383(used)s 1880(instead.)s 9066 671 0 671 240 240 60 0 11749 LoutGr2 +newpath 0 ysize 0.3 ft sub moveto +xsize 0 rlineto +0 0.1 ft rlineto +xsize neg 0 rlineto +closepath fill +grestore +320 fnt84 +0 66(6.6.)m 628(Err)s 5(or)k 1499(handling)s 2778(and)s +3365(input)s 4170(str)s 5(eams)k 5301(\(eg)s 5784(stdin\))s + +grestore +0 11287(When)m 610(the)s 938(service)s 1651(program)s 2501(is)s +2692(reading)s 3442(from)s 3947(a)s 4093(\207le)s 4435(descriptor)s +5430(connected)s 6439(to)s 6658(the)s 6987(calling)s 7670(side,)s +8143(the)s 8471(fd)s 8708(that)s 0 11047(the)m 348(service)s +1080(program)s 1950(refers)s 2543(to)s 2782(a)s 2948(pipe)s +3416(set)s 3741(up)s 4034(by)s gsave +4328 11101 translate +0.6953 1.0000 scale +240 fnt31 0 -52(userv)m + +grestore +4888(and)s 5292(not)s 5658(to)s 5897(the)s 6245(same)s +6792(object)s 7436(as)s 7686(w)s 2(as)k 8107(presented)s +0 10807(by)m 294(the)s 642(caller)s 13(.)k 0 10399(Therefore)m +988(if)s 1195(there)s 1718(is)s 1918(some)s 2469(kind)s +2943(of)s 3205(error)s 3718(it)s 3900(is)s 4100(possible)s +4930(for)s 5258(the)s 5597(service-side)s 6783(fd)s 7030(to)s +7259(gi)s 6(v)k 3(e)k 7708(premature)s 8722(end)s +0 10159(of)m 271(\207le.)s 680(If)s 910(it)s 1102(is)s +1312(important)s 2301(to)s 2540(tell)s 2899(whether)s 3729(all)s +4022(of)s 4293(the)s 4641(intended)s 5523(data)s 5981(has)s +6351(been)s 6860(recei)s 6(v)k 3(ed)k 7718(by)s +8012(the)s 8360(service)s 0 9919(program,)m 917(the)s 1265(datastream)s +2359(must)s 2884(contain)s 3645(an)s 3928(e)s 3(xplicit)k +4701(end-of-\207le)s 5765(indication)s 6778(of)s 7049(some)s 7610(kind.)s +0 9511(F)m 3(or)k 385(e)s 3(xample,)k 1294(consider)s +2159(a)s gsave +2321 9565 translate +0.6953 1.0000 scale +240 fnt31 0 -52(userv)m +grestore +2876(service)s 3603(for)s +3936(submitting)s 5008(a)s 5169(mail)s 5643(message,)s 6556(where)s +7191(message)s 8052(is)s 8257(supplied)s 0 9271(on)m 297(the)s +645(service')s 13(s)k 1531(stdin.)s 2100(Ho)s 6(we)k 6(v)k 3(er)k 9(,)k +3060(if)s 3277(the)s 3625(calling)s 4328(process)s 5096(is)s +5306(interrupted)s 6412(before)s 7078(it)s 7270(has)s 7640(written)s +8373(all)s 8666(of)s 0 9031(the)m 347(message,)s 1262(the)s +1608(service)s 2339(program)s 3207(will)s 3631(get)s 3982(EOF)s +4490(on)s 4785(the)s 5132(message)s 5996(data.)s 6496(In)s +6751(a)s 6915(nai)s 6(v)k 3(e)k 7478(arrangement)s +8730(this)s 0 8791(w)m 2(ould)k 655(cause)s 1242(a)s +1408(half-complete)s 2790(message)s 3656(to)s 3895(be)s 4177(sent.)s +4666(T)s 19(o)k 4966(pre)s 6(v)k 3(ent)k +5734(this,)s 6186(it)s 6378(is)s 6588(necessary)s 7571(to)s +7810(adopt)s 8402(some)s 0 8551(kind)m 484(of)s 755(e)s 3(xplicit)k +1528(end)s 1932(indication;)s 3000(for)s 3338(e)s 3(xample,)k +4252(the)s 4600(end)s 5004(of)s 5275(the)s 5623(message)s +6489(could)s 7079(be)s 7361(signalled)s 8282(by)s 8576(a)s +8742(dot)s 0 8311(on)m 297(a)s 463(line)s 877(by)s +1171(itself,)s 1754(and)s 2158(dots)s 2608(doubled,)s 3487(as)s +3737(in)s 3980(SMTP)s 26(.)k 4683(Then)s 5232(the)s +5580(service)s 6312(program)s 7182(w)s 2(ould)k 7837(kno)s 6(w)k +8418(when)s 0 8071(the)m 348(entire)s 947(message)s 1813(had)s +2217(been)s 2726(recei)s 6(v)k 3(ed,)k 3633(and)s +4037(could)s 4627(a)s 4(v)k 4(oid)k 5209(queueing)s +6140(incomplete)s 7258(messages.)s 9066 670 0 670 240 240 60 0 7047 LoutGr2 +newpath 0 ysize 0.3 ft sub moveto +xsize 0 rlineto +0 0.1 ft rlineto +xsize neg 0 rlineto +closepath fill +grestore +320 fnt84 0 66(6.7.)m 628(Don't)s +1488(gi)s 3(v)k 3(e)k 2107(access)s 3013(to)s +3352(general-pur)s 3(pose)k 5640(utilities)s +grestore +0 6585(Do)m 346(not)s +712(specify)s 1456(general)s 2214(purpose)s 3028(programs)s 3982(lik)s 2(e)k +gsave +4394 6639 translate +0.6953 1.0000 scale +240 fnt31 0 -52(mv)m +grestore +4654(or)s gsave +4913 6639 translate +0.6953 1.0000 scale +240 fnt31 0 -52(cat)m + +grestore +5273(in)s gsave +5516 6639 translate +0.6953 1.0000 scale +240 fnt31 0 -52(execute\211)m +grestore +6377(directi)s 6(v)k 3(es)k +7347(without)s 8138(careful)s 0 6345(thought)m 792(about)s 1384(their)s +1881(ar)s 4(guments,)k 2980(and)s 3384(certainly)s 4273(not)s +4639(if)s gsave +4856 6399 translate +0.6953 1.0000 scale +240 fnt31 0 -52(no\211suppress\211args)m +grestore +6518(is)s 6728(speci\207ed.)s +7682(If)s 7912(you)s 8327(do)s 8620(so)s 8886(it)s +0 6105(will)m 426(gi)s 6(v)k 3(e)k 885(the)s +1233(caller)s 1822(much)s 2411(more)s 2958(pri)s 6(vilige)k +3817(than)s 4286(you)s 4701(probably)s 5606(intend.)s 0 5697(It)m +205(is)s 415(a)s 581(shame)s 1248(that)s 1666(I)s +1801(ha)s 4(v)k 3(e)k 2302(to)s 2541(say)s +2914(this)s 3310(here,)s 3828(b)s 4(ut)k 4190(ine)s 3(xperienced)k +5586(administrators)s 7003(ha)s 4(v)k 3(e)k 7504(made)s +8078(similar)s 0 5457(mistak)m 2(es)k 885(with)s 1367(programs)s 2321(lik)s 2(e)k gsave -2733 13309 translate +2733 5511 translate 0.6953 1.0000 scale 240 fnt31 0 -52(sudo)m grestore 3133(.)s - +0 52(1.0.1)m 4809(User)s 5320(service)s 6052(daemon)s 6867(and)s +7271(client)s 7861(speci\207cation)s grestore grestore diff --git a/spec.sgml b/spec.sgml index 7b4d4c4..511400a 100644 --- a/spec.sgml +++ b/spec.sgml @@ -11,7 +11,7 @@ program to invoke another when only limited trust exists between them. - Applications and notes on use

    +Examples +

    + +The companion package, Standard services and directory management

    In later versions of this specification standard service names and interfaces for common services such as mail delivery and WWW CGI -scripts will be specified. +scripts may be specified.

    ~/.userv/.servdata/, where -~/.userv/, where -The use of a dot-directory inside ~/.userv will hopefully avoid -the user becoming confused by finding parts of a semi-privileged -application's internal state in their filespace, and or discourage -them from fiddling with and thus corrupting it. (Note that such -applications should of course not rely for their global integrity on -the integrity of the data on the user's side of the security -boundary.) +If desired, a dot-directory inside ~/.userv may be used to +avoid the user becoming confused by finding parts of a semi-privileged +application's internal state in their filespace, and/or discourage +them from fiddling with and thus corrupting it. +

    + +However, Reducing the number of absolutely privileged subsystems

    @@ -1272,13 +1281,13 @@ it. This gives rise to a large and complex body of code which must be trusted with the security of the system.

    -Using +If they were to use Do not give away excessive privilege to @@ -1344,29 +1353,59 @@ facilities which currently run as root. It is debatable whether the user-controlled state should be kept in the user's filespace (in dotfiles, say) or kept in a separate area set aside for the purpose; however, using the user's home directory (and -probably creating a separate subdirectory of it as a dotfile to -contain many subsystems' state) has fewer implications for the rest of -the system and makes it entirely clear where the security boundaries -lie. +possibly creating a separate subdirectory of it as a dotfile to +contain subsystem state) has fewer implications for the rest of the +system and makes it entirely clear where the security boundaries lie. - -Its facilities for restricting activities to running certain programs -may at first glance seem to provide similar functionality to +However, its use when restricted to running particular programs in +particular ways is very similar to many common uses of . However, the -separation mentioned above is a problem here too, particular for -interaction - it can be hard for a . Error handling and input streams (eg stdin) +

    + +When the service program is reading from a file descriptor connected +to the calling side, the fd that the service program refers to a pipe +set up by + +Therefore if there is some kind of error it is possible for the +service-side fd to give premature end of file. If it is important to +tell whether all of the intended data has been received by the service +program, the datastream must contain an explicit end-of-file +indication of some kind. +

    + +For example, consider a Don't give access to general-purpose utilities

    diff --git a/spec.sgml.in b/spec.sgml.in index d0de374..3d81de0 100644 --- a/spec.sgml.in +++ b/spec.sgml.in @@ -11,7 +11,7 @@ program to invoke another when only limited trust exists between them. - Applications and notes on use

    +Examples +

    + +The companion package, Standard services and directory management

    In later versions of this specification standard service names and interfaces for common services such as mail delivery and WWW CGI -scripts will be specified. +scripts may be specified.

    ~/.userv/.servdata/, where -~/.userv/, where -The use of a dot-directory inside ~/.userv will hopefully avoid -the user becoming confused by finding parts of a semi-privileged -application's internal state in their filespace, and or discourage -them from fiddling with and thus corrupting it. (Note that such -applications should of course not rely for their global integrity on -the integrity of the data on the user's side of the security -boundary.) +If desired, a dot-directory inside ~/.userv may be used to +avoid the user becoming confused by finding parts of a semi-privileged +application's internal state in their filespace, and/or discourage +them from fiddling with and thus corrupting it. +

    + +However, Reducing the number of absolutely privileged subsystems

    @@ -1272,13 +1281,13 @@ it. This gives rise to a large and complex body of code which must be trusted with the security of the system.

    -Using +If they were to use Do not give away excessive privilege to @@ -1344,29 +1353,59 @@ facilities which currently run as root. It is debatable whether the user-controlled state should be kept in the user's filespace (in dotfiles, say) or kept in a separate area set aside for the purpose; however, using the user's home directory (and -probably creating a separate subdirectory of it as a dotfile to -contain many subsystems' state) has fewer implications for the rest of -the system and makes it entirely clear where the security boundaries -lie. +possibly creating a separate subdirectory of it as a dotfile to +contain subsystem state) has fewer implications for the rest of the +system and makes it entirely clear where the security boundaries lie. - -Its facilities for restricting activities to running certain programs -may at first glance seem to provide similar functionality to +However, its use when restricted to running particular programs in +particular ways is very similar to many common uses of . However, the -separation mentioned above is a problem here too, particular for -interaction - it can be hard for a . Error handling and input streams (eg stdin) +

    + +When the service program is reading from a file descriptor connected +to the calling side, the fd that the service program refers to a pipe +set up by + +Therefore if there is some kind of error it is possible for the +service-side fd to give premature end of file. If it is important to +tell whether all of the intended data has been received by the service +program, the datastream must contain an explicit end-of-file +indication of some kind. +

    + +For example, consider a Don't give access to general-purpose utilities

    -- 2.30.2