Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 7 Apr 2002 15:18:55 +0100 (BST)
From:      Jan Grant <Jan.Grant@bristol.ac.uk>
To:        =?ISO-8859-2?Q?Pawe=B3_Jakub_Dawidek?= <nick@garage.freebsd.pl>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: Patch for setgroups().
Message-ID:  <Pine.GSO.4.44.0204071517460.19282-100000@mail.ilrt.bris.ac.uk>
In-Reply-To: <20020407160118.A84861@garage.freebsd.pl>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 7 Apr 2002, [ISO-8859-2] Pawe=B3 Jakub Dawidek wrote:

> Hey.
>
> What do You think about this patch?
> This can help non-root applications like apache etc.
> For example when I got access to many files from many groups when attacke=
r
> will exploit this application he got access to all files, coz there is no
> way to setgroups() if I am non-root and maybe only demon needs access to =
all
> files - child needs only access to files owned by one group.

This breaks the (rare) case of using group membership for negative
access control.

--=20
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk
perl -e 's?ck?t??print:perl=3D=3Dpants if $_=3D"Just Another Perl Hacker\n"=
'


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.44.0204071517460.19282-100000>