Timeline for Drop Process Privileges
Current License: CC BY-SA 3.0
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Feb 22, 2013 at 22:41 | comment | added | Nicholas Wilson |
@David Actually, setuid() does set real and saved userids; you may be thinking of seteuid(). Not all systems have setreuid(), so it can't be used quite everywhere. The exact semantics of setuid() are compliced, but if you have euid 0, you will be able to drop all traditional user-id privileges with setuid(). The biggest omission in this answer is that initgroups or setgroups must be called as well as setgid and setuid, and that more thorough assertions should be done at the end.
|
|
| Sep 23, 2011 at 23:01 | comment | added | David Schwartz | If you're going to simplify security-critical code, you have to make it very clear that this is what you're doing. And you should say things like "it's just a matter of" when it isn't. | |
| Sep 23, 2011 at 17:58 | comment | added | tylerl | @David Schwartz code was intentionally simplified to show the mechanism used. | |
| Sep 23, 2011 at 10:35 | comment | added | David Schwartz |
Note that this allows the process to recover the privileges if it wishes to! The setuid function only sets the effective UID, not the real UID. You should use setreuid if you don't want the process to be able to get the privileges back. (And the code above doesn't deal with supplementary group privileges either. It's suitable only for launching mostly-trusted code.)
|
|
| Sep 23, 2011 at 9:23 | history | edited | tylerl | CC BY-SA 3.0 |
edited body
|
| Sep 23, 2011 at 9:17 | history | answered | tylerl | CC BY-SA 3.0 |