Date: Sat, 10 Mar 2007 03:38:43 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Tom Rhodes <trhodes@FreeBSD.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/daemon daemon.8 daemon.c Message-ID: <20070310031320.G30274@fledge.watson.org> In-Reply-To: <200703090933.l299XJAP094201@repoman.freebsd.org> References: <200703090933.l299XJAP094201@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 9 Mar 2007, Tom Rhodes wrote: > trhodes 2007-03-09 09:33:19 UTC > > FreeBSD src repository > > Modified files: > usr.sbin/daemon daemon.8 daemon.c > Log: > Add support for dropping privileges to a specified user and/or group. > > PR: 108523 > Submitted by: Dmitri Alenitchev <dmitri@dworlds.ru> (original version) > Reviewed by: mpp (first reply to PR) Generally, when setting up user context in this kind of situation, it is preferable to use setusercontext(3). Examples of programs that do this [in various ways] include jail, inetd, ssh, su, login, cron, etc. This will lead to correct setting of MAC labels, resource limits, and other user properties -- for daemons this is quite useful. The description of "-g" seems not to match the implementation with respect to additional groups. I think I'd prefer it if we removed the "-g" option and just used setusercontext() to set the user's groups, as this will reduce the potential for confusing behavior. Generally speaking, it is better to simply try to perform operations and see if they succeed than check the user ID and guess. As we move towards more flexible security policies, predicting privileges based on user ID will become less reliable. I would be tempted to remove the getuid() check for this reason. There appears to be a man page format bug relating to the -p argument. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070310031320.G30274>