From owner-freebsd-security  Wed Oct 24 23:44: 4 2001
Delivered-To: freebsd-security@freebsd.org
Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248])
	by hub.freebsd.org (Postfix) with ESMTP id 58E5A37B40A
	for <freebsd-security@FreeBSD.ORG>; Wed, 24 Oct 2001 23:43:53 -0700 (PDT)
Received: (from aschneid@localhost)
	by science.slc.edu (8.11.0/8.11.0) id f9P6gk202196;
	Thu, 25 Oct 2001 02:42:46 -0400 (EDT)
	(envelope-from aschneid)
Date: Thu, 25 Oct 2001 02:42:41 -0400
From: Anthony Schneider <aschneid@mail.slc.edu>
To: Dave <mudman@R181172.resnet.ucsb.edu>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: lowering uids, startup
Message-ID: <20011025024241.A2163@mail.slc.edu>
References: <Pine.BSF.4.33.0110242313350.17839-100000@R181172.resnet.ucsb.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.33.0110242313350.17839-100000@R181172.resnet.ucsb.edu>; from mudman@R181172.resnet.ucsb.edu on Wed, Oct 24, 2001 at 11:36:16PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

you may create a /usr/local/etc/rc.d/ script which simply has
	su -c "command" user
in it, where user is the unprivileged user you want the program to run
under, and command is a quote string of the full command and arguments.

For example:

	su -c "ls /root" nobody

will execute the command "ls /root" as user nobody.
This is a pretty lame example, because you wouldn't want it in a startup
script, and because I don't think /root is permed against non-root users,
but you see what I mean. :)
-Anthony.


On Wed, Oct 24, 2001 at 11:36:16PM -0700, Dave wrote:
> 
> I am interested in learning how to start up a program (a 3rd party server
> program, a daemon, whatever) automatically from boot up without using
> inetd and without using a root uid.
> 
> I do know that /usr/local/etc/rc.d/ (mostly from my ports downloads) will
> automatically run packages such as ssh and apache, and really anything you
> put in there.  Unfortunately, these things initially run as root, so I'm
> skeptical about using it.
> 
> Are there any good, safe, secure ways to automatically start up third
> party services in really low privileged environments?
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message