From owner-freebsd-hackers@FreeBSD.ORG  Tue Jan  6 10:11:50 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 032D516A4F6
	for <freebsd-hackers@freebsd.org>;
	Tue,  6 Jan 2004 10:11:50 -0800 (PST)
Received: from arginine.spc.org (arginine.spc.org [195.206.69.236])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 22F6943D39
	for <freebsd-hackers@freebsd.org>;
	Tue,  6 Jan 2004 10:11:48 -0800 (PST)	(envelope-from bms@spc.org)
Received: from localhost (localhost [127.0.0.1])
	by arginine.spc.org (Postfix) with ESMTP
	id 5D1066520E; Tue,  6 Jan 2004 18:11:46 +0000 (GMT)
Received: from arginine.spc.org ([127.0.0.1])
 by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id 88065-01; Tue,  6 Jan 2004 18:11:45 +0000 (GMT)
Received: from saboteur.dek.spc.org (unknown [82.147.19.189])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by arginine.spc.org (Postfix) with ESMTP
	id 41399651FA; Tue,  6 Jan 2004 18:11:45 +0000 (GMT)
Received: by saboteur.dek.spc.org (Postfix, from userid 1001)
	id EAFD1C3; Tue,  6 Jan 2004 18:11:41 +0000 (GMT)
Date: Tue, 6 Jan 2004 18:11:41 +0000
From: Bruce M Simpson <bms@spc.org>
To: Adil Katchi <AdilK@sandvine.com>
Message-ID: <20040106181141.GA5995@saboteur.dek.spc.org>
Mail-Followup-To: Adil Katchi <AdilK@sandvine.com>,
	"'freebsd-hackers@freebsd.org'" <freebsd-hackers@freebsd.org>
References: <FE045D4D9F7AED4CBFF1B3B813C85337029120BE@mail.sandvine.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <FE045D4D9F7AED4CBFF1B3B813C85337029120BE@mail.sandvine.com>
cc: "'freebsd-hackers@freebsd.org'" <freebsd-hackers@freebsd.org>
Subject: Re: switching between groups
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2004 18:11:50 -0000

On Tue, Jan 06, 2004 at 11:14:06AM -0500, Adil Katchi wrote:
> I was just wondering if anyone has any ideas how it's possible for a user
> that belongs to multiple groups to somehow limit his or her own capabilities
> by using only one of the n groups that they belong to and be able to switch
> between these groups?  For example, if userA belongs to groupA, groupB and
> groupC, can userA enter a mode that would force it to only belong to groupA
> (or groupB, or groupC)?  UserA whould be able to switch between these groups
> and back to normal (ie. belong to all groups).

newgrp(1) could be hacked to do this fairly easily. Currently it preserves
supplemental group memberships. An option to discard supplementals could
be added.

Or just call setgroups() with a no-op group-list vector and then setgid()/
setegid() from within your application.

BMS