From owner-freebsd-hackers Sun Apr 7 7:20:40 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by hub.freebsd.org (Postfix) with ESMTP id 0389C37B405 for ; Sun, 7 Apr 2002 07:20:34 -0700 (PDT) Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV with ESMTP; Sun, 7 Apr 2002 15:20:15 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 16uDVP-0005J0-00; Sun, 07 Apr 2002 15:18:55 +0100 Date: Sun, 7 Apr 2002 15:18:55 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: =?ISO-8859-2?Q?Pawe=B3_Jakub_Dawidek?= Cc: freebsd-hackers@freebsd.org Subject: Re: Patch for setgroups(). In-Reply-To: <20020407160118.A84861@garage.freebsd.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 7 Apr 2002, [ISO-8859-2] Pawe=B3 Jakub Dawidek wrote: > Hey. > > What do You think about this patch? > This can help non-root applications like apache etc. > For example when I got access to many files from many groups when attacke= r > will exploit this application he got access to all files, coz there is no > way to setgroups() if I am non-root and maybe only demon needs access to = all > files - child needs only access to files owned by one group. This breaks the (rare) case of using group membership for negative access control. --=20 jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk perl -e 's?ck?t??print:perl=3D=3Dpants if $_=3D"Just Another Perl Hacker\n"= ' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message