bug-gnulib
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dropping setuid/setgid privileges

From: Bruno Haible
Subject: Re: dropping setuid/setgid privileges
Date: Thu, 11 Jun 2009 23:10:47 +0200
User-agent: KMail/1.9.9 
Sergey Poznyakoff wrote:
> > What is the use-case that you are considering? A setuid/setgid executable,
> > or an executable run by root?
> 
> I was considering an executable run by root.

Ah, I see. That requires a different API, one that takes the target uid and
gid (and supplementary groups) as arguments.

> > And what task does it do, related to the user's data and devices?
> 
> Retaining supplementary is often necessary for the program to be
> able to access various files. I use this approach in Mailfromd

And it's necessary to relinquish those groups because on some systems,
'root' is member of many groups - privileges that the program does not
need. For example, on MacOS X:

  $ grep root /etc/group
  wheel:*:0:root
  daemon:*:1:root
  kmem:*:2:root
  sys:*:3:root
  tty:*:4:root
  operator:*:5:root
  procview:*:8:root
  procmod:*:9:root
  staff:*:20:root
  certusers:*:29:root,_jabber,_postfix,_cyrus,_calendar
  admin:*:80:root

Shouldn't the program also call setgroups (possibly indirectly through
initgroups), in order to make sure that it can write any file that the
user can write to? For example, the user can write to a file that he
does not own but which is chgrp'ed to a group that is contained among
his supplementary groups. The program may need to write to such a file.
If it has only the user's uid and gid, it cannot do it. So it needs
also to acquire all supplementary groups of the user, right?

Bruno
reply via email to
[Prev in Thread] Current Thread [Next in Thread]