| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0710021334130.7130@fbirervta.pbzchgretzou.qr> Date: Tue, 2 Oct 2007 13:34:29 +0200 (CEST) From: Jan Engelhardt <jengelh@...putergmbh.de> To: Giuliano Gagliardi <gogi-k@...i.tv> cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: One process with multiple user ids. On Oct 2 2007 13:33, Giuliano Gagliardi wrote: >Date: Tue, 2 Oct 2007 13:33:05 +0200 >From: Giuliano Gagliardi <gogi-k@...i.tv> >To: Jan Engelhardt <jengelh@...putergmbh.de> >Subject: Re: One process with multiple user ids. > >On Tuesday 02 October 2007, Jan Engelhardt wrote: >> On Oct 2 2007 12:56, Giuliano Gagliardi wrote: >> >I have a server that has to switch to different user ids, but because it >> > does other complex things, I would rather not have it run as root. I only >> > need the server to be able to switch to certain pre-defined user ids. >> >> All you need is CAP_SETUID. Also see man setresuid, >> where you could, I think, use saved_uid=0 if you do not >> like to use real_uid=0 effective_uid=non-0. > >But CAP_SETUID would let me change to any uid, would it not? I would like my >process to have no possibility to change to any uid, except some predefined >set, so that in case of a security hole only those uids could be compromised. > > You could write up a LSM that restricts UID changing. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists