On Tuesday 02 October 2007, Jan Engelhardt wrote: > On Oct 2 2007 13:33, Giuliano Gagliardi wrote: > >Date: Tue, 2 Oct 2007 13:33:05 +0200 > >From: Giuliano Gagliardi <[EMAIL PROTECTED]> > >To: Jan Engelhardt <[EMAIL PROTECTED]> > >Subject: Re: One process with multiple user ids. > > > >On Tuesday 02 October 2007, Jan Engelhardt wrote: > >> On Oct 2 2007 12:56, Giuliano Gagliardi wrote: > >> >I have a server that has to switch to different user ids, but because > >> > it does other complex things, I would rather not have it run as root. > >> > I only need the server to be able to switch to certain pre-defined > >> > user ids. > >> > >> All you need is CAP_SETUID. Also see man setresuid, > >> where you could, I think, use saved_uid=0 if you do not > >> like to use real_uid=0 effective_uid=non-0. > > > >But CAP_SETUID would let me change to any uid, would it not? I would like > > my process to have no possibility to change to any uid, except some > > predefined set, so that in case of a security hole only those uids could > > be compromised. > > You could write up a LSM that restricts UID changing.
Would you not consider it more useful to let one process have multiple user ids? I do not see why they can have multiple group ids, but only (and exactly) three user ids. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
