[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dropping setuid/setgid privileges

From: Sergey Poznyakoff
Subject: Re: dropping setuid/setgid privileges
Date: Wed, 10 Jun 2009 12:55:25 +0300

James Youngman <address@hidden> ha escrit:

> It's possible that one of the process's supplementary groups is
> privileged.   So we may also need to do something like this:
>   /* Use of setgroups() is restricted to root only. */
>   if (0 =3D=3D geteuid())
>     {
>       /* We're either root or running setuid-root. */
>       gid_t groups[1];
>       groups[0] =3D gid;
>       if (0 !=3D setgroups(1u, groups))

Yes, but on the other hand the caller might need to retain some
supplementary groups when dropping privileges. Perhaps it is worth
to provide a mechanism for that too? Something like

  idpriv_drop_grp (size_t ngrp, gid_t *groups)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]