From owner-freebsd-hackers@FreeBSD.ORG Sun Nov 29 10:14:48 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CFD4106566B for ; Sun, 29 Nov 2009 10:14:48 +0000 (UTC) (envelope-from ap00@mail.ru) Received: from mx75.mail.ru (mx75.mail.ru [94.100.176.90]) by mx1.freebsd.org (Postfix) with ESMTP id BDBA68FC0A for ; Sun, 29 Nov 2009 10:14:47 +0000 (UTC) Received: from [91.190.115.253] (port=61291 helo=pstation) by mx75.mail.ru with asmtp id 1NEgnl-0009R2-00; Sun, 29 Nov 2009 13:14:46 +0300 Date: Sun, 29 Nov 2009 13:19:02 +0300 From: Anthony Pankov X-Mailer: The Bat! (v1.51) Personal X-Priority: 3 (Normal) Message-ID: <5870478546.20091129131902@mail.ru> To: Clifton Royston In-Reply-To: <20091128182803.GA13793@lava.net> References: <20091128120018.16D2C10656C7@hub.freebsd.org> <20091128182803.GA13793@lava.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam: Not detected X-Mras: Ok Cc: freebsd-hackers@freebsd.org Subject: Re[2]: ucred when euid/egid X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Anthony Pankov List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2009 10:14:48 -0000 Thank you for reply. So, seteuid/gid isn't enough to gain group access as for real uid. But how i can achieve this? What functions should i call from 'theprog' to gain access for the groups euid user belongs to? May be i solve the problem in wrong way? The full problem is: There is a file owned by group filegroup: rw-rw---- someone:filegroup thefile There is a programs data owned by group proggroup: rw-rw---- someone2:proggroup progdata I need a program (theprog) that can access 'thefile' and 'progdata' simultaneously. Program can be executed by anyone. My idea was to seteuid theprog to user who is memeber of one group (filegroup) and setegid theprog to another group (proggroup). In that way i was going to give theprog rights to work with both files. P.S. I don't want to use file ACLs. Saturday, November 28, 2009, 9:28:03 PM, you wrote: >> >> Hello, >> >> I face some misunderstood situation related to the access permissions. >> >> >> There is a program(script) with the suid/sgid (mode 6555): >> >> r-sr-sr-x fuser:proggroup theprog >> >> There is a file: >> rw-rw---- someone:filegroup thefile >> >> >> User 'fuser' (==program euid) have primary group 'filegroup'(==group, >> who can read/write thefile). >> >> Program try to read(write) thefile and fail with permissions. >> >> I don't fully understand why. CR> There is no bug; when you use the suid/sgid facility, the program CR> gains the effective user ID and/or the effective GID of the executable. CR> It does *not* gain any gids which the effective user is added to at CR> login. CR> man seteuid for more info. CR> In what you have shown, theprog has neither the same user (fuser vs. CR> someone) nor the same group (proggroup vs. filegroup) as the file you CR> want it to modify. CR> For what you want to do to work correctly, you would need to either CR> make theprog's ownership be: CR> anyuser:filegroup CR> or CR> fuser:proggroup CR> -- Clifton -- Best regards, Anthony mailto:ap00@mail.ru