From: Helge Hafting <helge.hafting@aitel.hist.no>
To: gogi-k@gogi.tv
Cc: linux-kernel@vger.kernel.org
Subject: Re: One process with multiple user ids.
Date: Mon, 08 Oct 2007 12:15:53 +0200 [thread overview]
Message-ID: <470A0359.5090008@aitel.hist.no> (raw)
In-Reply-To: <200710021334.34950.gogi-k@gogi.tv>
Giuliano Gagliardi wrote:
> On Tuesday 02 October 2007, Jan Engelhardt wrote:
>
>> On Oct 2 2007 12:56, Giuliano Gagliardi wrote:
>>
>>> I have a server that has to switch to different user ids, but because it
>>> does other complex things, I would rather not have it run as root. I only
>>> need the server to be able to switch to certain pre-defined user ids.
>>>
>> All you need is CAP_SETUID. Also see man setresuid,
>> where you could, I think, use saved_uid=0 if you do not
>> like to use real_uid=0 effective_uid=non-0.
>>
>
> But CAP_SETUID would let me change to any uid, would it not? I would like my
> process to have no possibility to change to any uid, except some predefined
> set, so that in case of a security hole only those uids could be compromised.
Why exactly do you need to change UID to a predefined set?
Do your app need to work with files owned by those users perhaps?
If so, consider filesystem solutions:
* make a group with all these users in, make the files rw for this group
or
* Use ACLs and let whatever UID your process use, have access to
the files in question.
Another approach if filesystem tricks don't fit your need:
Have a small process running as root. It should not do much
io or data processing, so its source is small and easy to audit. You
can make reasonably sure it has no security holes. This minimal app
will when needed:
* fork,
* set the correct UID for this particular job,
* exec the app that do work that is so complicated that
security holes might happen.
Helge Hafting
next prev parent reply other threads:[~2007-10-08 10:17 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-02 10:56 One process with multiple user ids Giuliano Gagliardi
2007-10-02 11:23 ` Jan Engelhardt
[not found] ` <200710021333.05826.gogi-k@gogi.tv>
2007-10-02 11:34 ` Jan Engelhardt
2007-10-02 11:39 ` Giuliano Gagliardi
2007-10-02 11:52 ` Jan Engelhardt
2007-10-02 11:34 ` Giuliano Gagliardi
2007-10-02 13:23 ` Mark Lord
2007-10-08 10:15 ` Helge Hafting [this message]
2007-10-02 17:11 ` Chris Snook
2007-10-02 22:23 ` David Newall
2007-10-02 22:38 ` Bill Davidsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=470A0359.5090008@aitel.hist.no \
--to=helge.hafting@aitel.hist.no \
--cc=gogi-k@gogi.tv \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox