Re: One process with multiple user ids.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bill Davidsen <davidsen@tmr.com>
To: gogi-k@gogi.tv
Cc: linux-kernel@vger.kernel.org
Subject: Re: One process with multiple user ids.
Date: Tue, 02 Oct 2007 18:38:58 -0400	[thread overview]
Message-ID: <4702C882.9090105@tmr.com> (raw)
In-Reply-To: <200710021256.08469.gogi-k@gogi.tv>

Giuliano Gagliardi wrote:
> Hello,
> 
> I have a server that has to switch to different user ids, but because it does 
> other complex things, I would rather not have it run as root. I only need the 
> server to be able to switch to certain pre-defined user ids.
> 
> I have seen that two possible solutions have already been suggested here on 
> the LKML, but it was some years ago, and nothing like it has been 
> implemented.
> 
> (1) Having supplementary user ids like there are supplementary group ids and 
> system calls getuids() and setuids() that work like getgroups() and 
> setgroups()
> 
> (2) Allowing processes to pass user and group ids via sockets.
> 
> Both (1) and (2) would solve my problem. Now my question is whether there are 
> any fundamental flaws with (1) or (2), or whether the right way to solve my 
> problem is another one.
> 
Changing to a limited set of IDs is interesting, I have never looked at 
what happens when a thread does setuid, and neither the man page or a 
very quick look at the code tells me. But the portable way is to do the 
things needed for init, then fork into three processes and give each a 
UID as needed. I would really evaluate the design which made this 
necessary, to see if some IPC could be used. Certainly that's more 
likely to be portable.

-- 
Bill Davidsen <davidsen@tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

     prev parent reply	other threads:[~2007-10-02 22:33 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-02 10:56 One process with multiple user ids Giuliano Gagliardi
2007-10-02 11:23 ` Jan Engelhardt
     [not found]   ` <200710021333.05826.gogi-k@gogi.tv>
2007-10-02 11:34     ` Jan Engelhardt
2007-10-02 11:39       ` Giuliano Gagliardi
2007-10-02 11:52         ` Jan Engelhardt
2007-10-02 11:34   ` Giuliano Gagliardi
2007-10-02 13:23     ` Mark Lord
2007-10-08 10:15     ` Helge Hafting
2007-10-02 17:11 ` Chris Snook
2007-10-02 22:23 ` David Newall
2007-10-02 22:38 ` Bill Davidsen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4702C882.9090105@tmr.com \
    --to=davidsen@tmr.com \
    --cc=gogi-k@gogi.tv \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.