From: Jerry Haltom <wasabi@larvalstage.net>
To: Valdis.Kletnieks@vt.edu
Cc: linux-kernel@vger.kernel.org
Subject: Re: setpeuid(pid_t, uid_t) proposal
Date: Tue, 24 Aug 2004 01:27:50 -0500 [thread overview]
Message-ID: <1093328870.1248.31.camel@localhost> (raw)
In-Reply-To: <200408240558.i7O5wFuP031966@turing-police.cc.vt.edu>
> What does this buy you that having the separate daemon just do
> a fork/seteuid/exec to do the work, and passing the results back via a
> Unix socket or shared mem or what-have-you?
To do a seteuid the daemon would need to be root. This means it would be
processing remote information of a sensitive nature, such as Kerberos
ticket acquisition, SASL stuff, etc, as root. Something I'm trying to
avoid. It has to first determine what uid before it can call setuid and
the process of determining this uid is very sensitive in many
situations.
> Alternatively, what would this give you that isn't already done by
> the SELinux support for cron, or Apache suexec, which already allow
> "run the following in another context" functionality?
I don't know about this SELinux thing you speak of yet, I'll look into
it. Apache suexec spawns a seperate process for each individual request.
It cannot function properly with in process modules, such as mod_webdav,
mod_php, and... all the others. Being able to function in process is the
main idea behind this.
Jerry Haltom <wasabi@larvalstage.net>
next prev parent reply other threads:[~2004-08-24 6:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-24 4:50 setpeuid(pid_t, uid_t) proposal Jerry Haltom
2004-08-24 5:58 ` Valdis.Kletnieks
2004-08-24 6:27 ` Jerry Haltom [this message]
2004-08-24 12:01 ` Valdis.Kletnieks
2004-08-24 13:30 ` Gianni Tedesco
2004-08-28 19:15 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1093328870.1248.31.camel@localhost \
--to=wasabi@larvalstage.net \
--cc=Valdis.Kletnieks@vt.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox