[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dropping setuid/setgid privileges

From: James Youngman
Subject: Re: dropping setuid/setgid privileges
Date: Fri, 12 Jun 2009 10:53:33 +0100

On Fri, Jun 12, 2009 at 12:29 AM, Bruno Haible<address@hidden> wrote:

>> That is usually necessary but not always sufficient, for example see
>> http://blogs.sun.com/peteh/date/20050614
> What do you mean by "not always sufficient", other than kernel bugs and
> implementation limits? Assuming a small number of supplementary groups,
> all a process needs to have in order to access all files that a user has
> access to is that
>  - the process' uid = the user's uid,
>  - the process' gid and supplementary groups together contain all groups
>    to which the user belongs.
> No?

Precisely; the number of supplementary groups may not be small, yet
the 16-group limit for NFS is very common.   An implementation limit
which is almost universal is something for which one can't usefully
say "fix your implementation".   But we're wandering away from the
main point; a ~full explanation is given at the URL quoted earlier.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]