From owner-freebsd-hackers@FreeBSD.ORG Wed Jan 7 12:34:36 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC4CE16A4CE for ; Wed, 7 Jan 2004 12:34:36 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE2D943D3F for ; Wed, 7 Jan 2004 12:34:34 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i07KXBUd010562; Wed, 7 Jan 2004 15:33:11 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i07KXBwJ010559; Wed, 7 Jan 2004 15:33:11 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Wed, 7 Jan 2004 15:33:11 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Adil Katchi In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: "'freebsd-hackers@freebsd.org'" Subject: RE: switching between groups X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2004 20:34:36 -0000 On Wed, 7 Jan 2004, Adil Katchi wrote: > Unfortunately, newgrp(1) would not work, because it calls setgroups, > which for some weird reason, needs the caller to be a superuser. Isn't > there a function that sets the groups (like setgroups) of the current > process where you don't have to be a superuser? To maintain security, > that function could just check that the groups being set by setgroups > are a subset of the caller's set. Does a function like that already > exist? If not, how come? Groups are sometimes used for negative access control rights: i.e., permissions are set on a file so that users who should not be able to read the file are in a group, and the group rights are less than the 'other' rights. If users can drop arbitrary groups, they can leave the group excluding the rights. This probleis more or less pronounced with ACLs, depending on who you speak to: using negative rights is often a workaround for not having ACLs, but with ACLs, you can add more than one group to a file, and don't have to be a member of the group to add it... It does strike me that newgrp(1) seems less than useful without the setuid bit... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research > > Thanks, > > Adil > > -----Original Message----- > From: Bruce M Simpson [mailto:bms@spc.org] > Sent: Tuesday, January 06, 2004 1:12 PM > To: Adil Katchi > Cc: 'freebsd-hackers@freebsd.org' > Subject: Re: switching between groups > > > On Tue, Jan 06, 2004 at 11:14:06AM -0500, Adil Katchi wrote: > > I was just wondering if anyone has any ideas how it's possible for a user > > that belongs to multiple groups to somehow limit his or her own > capabilities > > by using only one of the n groups that they belong to and be able to > switch > > between these groups? For example, if userA belongs to groupA, groupB and > > groupC, can userA enter a mode that would force it to only belong to > groupA > > (or groupB, or groupC)? UserA whould be able to switch between these > groups > > and back to normal (ie. belong to all groups). > > newgrp(1) could be hacked to do this fairly easily. Currently it preserves > supplemental group memberships. An option to discard supplementals could > be added. > > Or just call setgroups() with a no-op group-list vector and then setgid()/ > setegid() from within your application. > > BMS > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >