[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

dropping setuid/setgid privileges, round 2

From: Bruno Haible
Subject: dropping setuid/setgid privileges, round 2
Date: Thu, 11 Jun 2009 19:44:41 +0200
User-agent: KMail/1.9.9

Just came across these two articles, which goes into the same direction as
"Setuid demystified":

   * Dan Tsafrir, Dilma da Silva, David Wagner: The Murky Issue of Changing
     Process Identity: Revising "Setuid Demystified"
   * Dhruv Mohindra: Observe correct revocation order while relinquishing

The interesting points in this article:

* There are two types of processes that need to drop privileges:
  - Those which are installed as setuid/setgid binaries,
  - Those which are usually run as root.
  The gnulib functions, so far, are useful only for the first case.

* What happens with the supplementary groups? They are not changed
  by setuid, setgid. They don't exist in a "real" vs. "effective" flavour.
  So the process may be up running with the effective uid and gid of one
  user and with the supplementary groups of another user. Sometimes this
  is desired, sometimes not...

* Regarding abort() vs. "return -1" - hi Sam! -, they say:
  "But while reporting failure through return values is possible, we advise
   against it, as it might leave the identity in an inconsistent state. Thus,
   when an identity change fails in the middle, programmers should either
   abort, or really know what they’re doing."

* Their functions take the target credentials as arguments, while the
  gnulib functions take no arguments, for ease of use.

* On FreeBSD, the setgroups() system call is not POSIX compliant: It affects
  the effective gid. coreutils/src/setuidgid.c works around this problem,
  but a comment about this portability problem would be nice.

* AIX 5.3 appears to have a function getuidx()
  that could be used to implement getresuid() on this system.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]