[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Proposal] switching user and group id

From: Martin Pala
Subject: Re: [Proposal] switching user and group id
Date: Wed, 09 Apr 2003 23:10:12 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030327 Debian/1.3-4

It could be useful for some users. I don't run currently any application which will require it, so my vote is +0


Jan-Henrik Haukeland wrote:

I was starting a program the other day from monit. The program should
run as a special user but does not switch to a new uid and gid like
apache does. So if monit is run by root the program also runs as the
root user. It occured to me that switching uid (and gid) can be done
by monit.
Before monit starts a program it fork of a new process in this process
the uid/gid could be changed before monit starts the program. (A
sample function for doing such a switch is provided below as an

The START statement in the control file will need to be extended with
an optional part as shown here:

check XYZ ..
  start "/etc/init.d/xyz start" as USER nobody and GROUP nobody

Would such a functionality be useful for others and something we
should implement in monit?

* Change the current user and group identity to the new user and
* group.  This method does nothing unless the program is run by the
* super-user.
* @param uid A string specifying the user id the process should
* switch to.
* @param gid A string specifying the group id the process should
* switch to.
* @return TRUE on sucess otherwise FALSE
int change_identity(const char *user, const char *group) {

 int r=0;

 if(! getuid()) {

   char buf[STRLEN];
   struct group *g;
   struct group gid;
   struct passwd *u;
   struct passwd uid;
if(0 != (r= getpwnam_r(user, &uid, buf, STRLEN, &u)))
        goto error;
        goto error;
   if(0 != (r= setuid(u->pw_uid)))
        goto error;
if(0!=(r=getgrnam_r(group, &gid, buf, STRLEN, &g)))
        goto error;
        goto error;
   if(0 != (r= setgid(g->gr_gid)))
        goto error;

   return TRUE;

     log("Error looking up user id or group id -- %s\n", strerror(r));
return FALSE;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]