[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dropping setuid/setgid privileges

From: Bruno Haible
Subject: Re: dropping setuid/setgid privileges
Date: Fri, 12 Jun 2009 12:48:49 +0200
User-agent: KMail/1.9.9

James Youngman wrote:
> >> That is usually necessary but not always sufficient, for example see
> >> http://blogs.sun.com/peteh/date/20050614
> ...
> Precisely; the number of supplementary groups may not be small, yet
> the 16-group limit for NFS is very common.   An implementation limit
> which is almost universal is something for which one can't usefully
> say "fix your implementation".

Sure. But it's nothing that affect programs that are run as root and
then drop privileges in a particular way. The number of supplementary
groups is quite commonly less than 16. In those cases where it is not,
the users will notice that also with regular "cp" and "cat" commands
they cannot access the files to which they should have access, and will
reduce the number of their supplementary groups. So this is a problem
that system administrators who assign groups to users need to worry
about. But programs that drop privileges will hardly stumble into
this problem, except if they want to add particular groups and the user
is already at the limit of 16 supplementary groups.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]