From owner-freebsd-hackers@FreeBSD.ORG Sun Nov 29 20:13:43 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 300C71065679 for ; Sun, 29 Nov 2009 20:13:43 +0000 (UTC) (envelope-from cliftonr@lava.net) Received: from outgoing03.lava.net (outgoing03.lava.net [IPv6:2001:1888:0:1:202:b3ff:fe1d:6b98]) by mx1.freebsd.org (Postfix) with ESMTP id CD3038FC15 for ; Sun, 29 Nov 2009 20:13:42 +0000 (UTC) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by outgoing03.lava.net (Postfix) with ESMTP id 1DE40101A2; Sun, 29 Nov 2009 10:13:41 -1000 (HST) Received: by malasada.lava.net (Postfix, from userid 102) id F2B74153882; Sun, 29 Nov 2009 10:13:40 -1000 (HST) Date: Sun, 29 Nov 2009 10:13:40 -1000 From: Clifton Royston To: Anthony Pankov Message-ID: <20091129201340.GA7066@lava.net> Mail-Followup-To: Anthony Pankov , freebsd-hackers@freebsd.org References: <20091128120018.16D2C10656C7@hub.freebsd.org> <20091128182803.GA13793@lava.net> <5870478546.20091129131902@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5870478546.20091129131902@mail.ru> User-Agent: Mutt/1.4.2.2i Cc: freebsd-hackers@freebsd.org Subject: Re: ucred when euid/egid X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2009 20:13:43 -0000 On Sun, Nov 29, 2009 at 01:19:02PM +0300, Anthony Pankov wrote: > > Thank you for reply. > > So, seteuid/gid isn't enough to gain group access as for real uid. > But how i can achieve this? What functions should i call from > 'theprog' to gain access for the groups euid user belongs to? > > May be i solve the problem in wrong way? > > The full problem is: > > There is a file owned by group filegroup: > rw-rw---- someone:filegroup thefile > > There is a programs data owned by group proggroup: > > rw-rw---- someone2:proggroup progdata > > I need a program (theprog) that can access 'thefile' and > 'progdata' simultaneously. Program can be executed by anyone. This is a clearer statement of the problem, in terms of what you're trying to accomplish. If you can make the program data owned by a special program user, and require the users of the program to make their files group-accessible by this special filegroup, then you can do it fairly simply, like this: Make each users' "thefile" be owned by group filegroup, for example: rw-rw---- someone:filegroup ~someone/thefile rw-rw---- someone2:filegroup ~someone2/thefile rw-rw---- someone3:filegroup ~someone3/thefile ... Make the program's data file owned by *user* proguser: rw-rw---- proguser:proggroup progdata Now you can make the program setuid proguser/setgid filegroup: r-sr-sr-x proguser:filegroup theprog This lets it be executed by any user and access its own data (via the suid) and the files the users have put into filegroup (via the sgid). Note that the users should not themselves be members of filegroup unless it's OK for them to read/write each others' data. You may need either to provide an sgid utility which can be used to create or chown that file to filegroup, or require them to be put in a shared directory with filegroup gid and the directory sticky bit set. Alteratively you could drop the sgid and simply require the file be group readable/writable by the user's own group. In that case you have r-sr-xr-x proguser:bin theprog and rw-rw---- someone:somegroup ~someone/thefile > My idea was to seteuid theprog to user who is memeber of one group > (filegroup) and setegid theprog to another group (proggroup). In that > way i was going to give theprog rights to work with both files. > > P.S. I don't want to use file ACLs. The standard Unix permissions aren't really extensible in that way. You can do it as I've outlined above; that's getting close to the limits of what you can readily do with the standard permissions. If it gets more complicated, you will need to either do ACLs or something still more creative. sudo, for instance, does allow you to set a vector of groups to match the user you're executing as. It may be possible to leverage the sudo command into doing something more elaborate if you need to, with a suitably crafted sudoers config file; you could also look into the code that sudo uses to set the group vector, but that will require you to write a suid root utility which adds a lot of security risks. Hope this helps, -- Clifton -- Clifton Royston -- cliftonr@iandicomputing.com / cliftonr@lava.net President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services