Date: Wed, 7 Jan 2004 15:33:11 -0500 (EST) From: Robert Watson <rwatson@freebsd.org> To: Adil Katchi <AdilK@sandvine.com> Cc: "'freebsd-hackers@freebsd.org'" <freebsd-hackers@freebsd.org> Subject: RE: switching between groups Message-ID: <Pine.NEB.3.96L.1040107153004.6025D-100000@fledge.watson.org> In-Reply-To: <FE045D4D9F7AED4CBFF1B3B813C85337029120C5@mail.sandvine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 7 Jan 2004, Adil Katchi wrote: > Unfortunately, newgrp(1) would not work, because it calls setgroups, > which for some weird reason, needs the caller to be a superuser. Isn't > there a function that sets the groups (like setgroups) of the current > process where you don't have to be a superuser? To maintain security, > that function could just check that the groups being set by setgroups > are a subset of the caller's set. Does a function like that already > exist? If not, how come? Groups are sometimes used for negative access control rights: i.e., permissions are set on a file so that users who should not be able to read the file are in a group, and the group rights are less than the 'other' rights. If users can drop arbitrary groups, they can leave the group excluding the rights. This probleis more or less pronounced with ACLs, depending on who you speak to: using negative rights is often a workaround for not having ACLs, but with ACLs, you can add more than one group to a file, and don't have to be a member of the group to add it... It does strike me that newgrp(1) seems less than useful without the setuid bit... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research > > Thanks, > > Adil > > -----Original Message----- > From: Bruce M Simpson [mailto:bms@spc.org] > Sent: Tuesday, January 06, 2004 1:12 PM > To: Adil Katchi > Cc: 'freebsd-hackers@freebsd.org' > Subject: Re: switching between groups > > > On Tue, Jan 06, 2004 at 11:14:06AM -0500, Adil Katchi wrote: > > I was just wondering if anyone has any ideas how it's possible for a user > > that belongs to multiple groups to somehow limit his or her own > capabilities > > by using only one of the n groups that they belong to and be able to > switch > > between these groups? For example, if userA belongs to groupA, groupB and > > groupC, can userA enter a mode that would force it to only belong to > groupA > > (or groupB, or groupC)? UserA whould be able to switch between these > groups > > and back to normal (ie. belong to all groups). > > newgrp(1) could be hacked to do this fairly easily. Currently it preserves > supplemental group memberships. An option to discard supplementals could > be added. > > Or just call setgroups() with a no-op group-list vector and then setgid()/ > setegid() from within your application. > > BMS > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1040107153004.6025D-100000>