From: qiyong <qiyong@fc-cn.com>
To: Erik Mouw <erik@harddisk-recovery.com>
Cc: linux-kernel@vger.kernel.org, dhommel@gmail.com
Subject: Re: syscall: sys_promote
Date: Mon, 29 Aug 2005 11:55:43 +0800 [thread overview]
Message-ID: <4312873F.8060006@fc-cn.com> (raw)
In-Reply-To: <20050826124738.GD28640@harddisk-recovery.com>
Erik Mouw wrote:
>On Fri, Aug 26, 2005 at 05:25:37PM +0800, Coywolf Qi Hunt wrote:
>
>
>>I just wrote a tool with kernel patch, which is to set the uid's of a running
>>process without FORK.
>>
>>The tool is at http://users.freeforge.net/~coywolf/pub/promote/
>>Usage: promote <pid> [uid]
>>
>>I once need such a tool to work together with my admin in order to tune my web
>>configuration. I think it's quite convenient sometimes.
>>
>>The situations I can image are:
>>
>>1) root processes can be set to normal priorities, to serve web
>>service for eg.
>>
>>
>
>Most (if not all) web servers can be told to drop all privileges and
>run as a normal user. If not, you can use selinux to create a policy
>for such processes (IIRC that's what Fedora does).
>
>
In this way, it's that the web servers themselves drop the privileges,
not forced by sysadmin. sys_promote is a new approach different from
selinux or sudo. sys_promote is manipulating a already running process,
while selinux or sudo is for the next launching process.
>
>
>>2) admins promote trusted users, so they can do some system work without knowing
>> the password
>>
>>
>
>Use sudo for that, it allows even much finer grained control.
>
>
sudo may become a security problem. Sysadmin and the user don't like
the user's account
always have priorities. My sysadmin Hommel says this to me:
[quote]
Alan is right, selinux can do things like that, but we don't want to
use selinux for only being able to "promote" root rights for some
simple job. To me it's more like a "one time sudo", and i consider it
generally useful on systems like zeus. Without the promote tool i'd
have to change some major parts in the system (implementing selinux
e.g.) or give permanent sudo/root permissions to a user.
[/quote]
>
>
>>3) admins can `promote' a suspect process instead of killing it.
>>
>>
>
>Why would that change anything? You only change a process's UID,
>nothing else. You don't change things like resource limits, so a
>process started as root with unlimited limits is still allowed to use
>those limits. AFAIK setrlimit() can't be used to change resource limits
>of other processes.
>
>
>Erik
>
>
>
next prev parent reply other threads:[~2005-08-29 3:55 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-26 9:25 syscall: sys_promote Coywolf Qi Hunt
2005-08-26 11:02 ` Coywolf Qi Hunt
2005-08-26 15:19 ` Alan Cox
2005-08-29 3:54 ` qiyong
2005-08-29 12:29 ` Alan Cox
2005-08-29 16:15 ` Trond Myklebust
[not found] ` <a36005b505082908415d9202d5@mail.gmail.com>
2005-08-31 7:53 ` Qi Yong
2005-08-31 7:58 ` Qi Yong
2005-08-26 12:47 ` Erik Mouw
2005-08-29 3:55 ` qiyong [this message]
2005-08-29 7:53 ` Bernd Petrovitsch
2005-08-29 8:16 ` Coywolf Qi Hunt
2005-08-29 8:53 ` Bernd Petrovitsch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4312873F.8060006@fc-cn.com \
--to=qiyong@fc-cn.com \
--cc=dhommel@gmail.com \
--cc=erik@harddisk-recovery.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox