4

I was scrolling through a Google Research paper related to privileges separation and I felt lost while reading this :

In Unix, every process runs within its own protection domain, i.e., the operating system protects the address space of a process from manipulation and control by unrelated users. Using this feature, we accomplish privilege separation by spawning unprivileged children from a privileged parent. To execute privileged operations, an unprivileged child asks its privileged parent to execute the operation on behalf of the child. An adversary who gains control over the child is confined in its protection domain and does not gain control over the parent.

I can't figure out how this can be possible. If instructions are performed by the parent on behalf of the concerned child, why can't an attacker gaining access to the child process manipulate the parent process to execute privileged instructions, still on behalf of the child process ?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Shruikan
  • 53
  • 5
  • You can browse some source code to get better view of the operation. Apache httpd for example use this way for child processes – Romeo Ninov Jun 02 '15 at 16:02
  • 2
    In a typical implementation, the child can't ask the parent to do /anything/, just specific predetermined operations. So the parent might be able in theory to delete any file, but will only accept requests to delete files under a specific root. – Alfred Armstrong Jun 02 '15 at 16:33
  • @AlfredArmstrong put that comment in as an answer and get up-votes :) – David Waters Jun 03 '15 at 01:17

1 Answers1

3

In a typical implementation, the child can only ask the parent to perform specific predetermined operations. It does not have a completely free hand.

So for example the parent might have the power to delete any file, but will only accept requests to delete files under a specific root.

Alfred Armstrong
  • 184
  • 8