Date: Sun, 8 Jul 2001 15:20:05 -0700 (PDT) From: Kris Kennaway <kris@obsecurity.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/28333: rtprio/idprio setuid problems Message-ID: <200107082220.f68MK5Z06631@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/28333; it has been noted by GNATS. From: Kris Kennaway <kris@obsecurity.org> To: Brad Huntting <huntting@glarp.com> Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/28333: rtprio/idprio setuid problems Date: Sun, 8 Jul 2001 15:15:12 -0700 --nmemrqcdn5VTmUEE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 21, 2001 at 10:41:03PM -0600, Brad Huntting wrote: > On some (but by no means all) systems it is desireable to > allow non-root users the ability to start realtime processes. The same can be same about almost any program which requires superuser privileges, not just rtprio/idprio. > The obvious way to allow this is to "chmod u+s /usr/sbin/rtprio". > Unfortunatly, this causes all programs started with rtprio > (and idprio) to run as root. The included patch adds a > line to reset the euid before exec()ing the program. >=20 > Note: I am NOT advocating that rtprio should be installed > setuid-root by default! However, if the sysadmin wants to > allow non-root users this privledge, then making a setuid-root > program (perhaps executable by only one group) is the "unix > way". No, the UNIX way is to use something a tool like sudo (in the ports collection) which lets the admin manage which users get to execute which commands with privilege. Adding uid-management code to all sorts of non-privileged binaries just in case someone misguidedly makes it setuid is the wrong solution. Kris --nmemrqcdn5VTmUEE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7SNtuWry0BWjoQKURAhxZAKDfbdX59sxcaU7GyDEW810q9sFuTACgoaWx f+oz8/IdBuSHmBhHAKyrIJI= =bZwS -----END PGP SIGNATURE----- --nmemrqcdn5VTmUEE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107082220.f68MK5Z06631>