Christopher Cain at [EMAIL PROTECTED] wrote:
>
>> I'm attaching a little C script that degradates the process to a specified
>> user before execuing it. To compile do "gcc -O2 safexec.c -o safexec" and to
>> run, (for example catalina) do:
>>
>> safexec username $CATALINA_HOME/bin/catalina.sh start
>>
>> It's written for Solaris, but it should work also on Linux (maybe some
>> compilation warning of some kind)... DO NOT INSTALL IT W/ SUID PRIVILEGES,
>> otherwise anyone will be able to break into your machine _easily_... 'K?
>
> My startup script (Linux) simply does this:
>
> daemon --user nobody $CATALINA_HOME/bin/catalina.sh start
This is I believe Bergstein's daemontools?
> That's one way you can execute commands from a script with the proper
> user privileges. Another way I've seen is:
>
> su -l nobody -c '$CATALINA_HOME/bin/catalina.sh start'
>
> That works too, but you usually have to mess around with redirects (by
> adding, say, "< /dev/null > /dev/null 2>& 1" to the end of that su
> command).
Yeah... Same thing that my little C thing does. But being paranoid, su is
installed setuid, so... :) :) :)
>> Let's try to be a LITTLE BIT security conscious here...
>>
>> Pier (in these days turned into a security freak!)
>
> =)
>
> I usually prefer putting "Paranoid" in front of my "Security Freak"
> title, but that works too ;-)
If you saw what I'm doing this week, you would surely share my vision of
"freak" :) It's all week I'm running tripwire, nessus and some other (Sun)
tools on a cluster of machines... AAARRRGGGHHH :) :) :)
Pier
