[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dropping setuid/setgid privileges

From: James Youngman
Subject: Re: dropping setuid/setgid privileges
Date: Fri, 12 Jun 2009 00:01:58 +0100

On Thu, Jun 11, 2009 at 10:10 PM, Bruno Haible<address@hidden> wrote:

> Shouldn't the program also call setgroups (possibly indirectly through
> initgroups), in order to make sure that it can write any file that the
> user can write to?

That is usually necessary but not always sufficient, for example see

> For example, the user can write to a file that he
> does not own but which is chgrp'ed to a group that is contained among
> his supplementary groups. The program may need to write to such a file.
> If it has only the user's uid and gid, it cannot do it. So it needs
> also to acquire all supplementary groups of the user, right?

One option would be for the program to be setgid instead of setuid, if
it's the group membership that's important.  I believe you are (or
were) implying that there is no obvious one-size-fits-all solution
here and I agree.

I had side-stepped the issue myself for locate by just dropping all
supplemental groups, but now realise that this may produce subtle
differences of behaviour when reading slocate databases (since that
automatically enables the file-existence check as if -E had been


reply via email to

[Prev in Thread] Current Thread [Next in Thread]