From owner-cvs-src@FreeBSD.ORG Sat Mar 10 03:38:44 2007 Return-Path: X-Original-To: cvs-src@FreeBSD.org Delivered-To: cvs-src@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DD89216A400; Sat, 10 Mar 2007 03:38:44 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id B3AC013C461; Sat, 10 Mar 2007 03:38:44 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 17CE546F22; Fri, 9 Mar 2007 22:38:44 -0500 (EST) Date: Sat, 10 Mar 2007 03:38:43 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Tom Rhodes In-Reply-To: <200703090933.l299XJAP094201@repoman.freebsd.org> Message-ID: <20070310031320.G30274@fledge.watson.org> References: <200703090933.l299XJAP094201@repoman.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/daemon daemon.8 daemon.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Mar 2007 03:38:45 -0000 On Fri, 9 Mar 2007, Tom Rhodes wrote: > trhodes 2007-03-09 09:33:19 UTC > > FreeBSD src repository > > Modified files: > usr.sbin/daemon daemon.8 daemon.c > Log: > Add support for dropping privileges to a specified user and/or group. > > PR: 108523 > Submitted by: Dmitri Alenitchev (original version) > Reviewed by: mpp (first reply to PR) Generally, when setting up user context in this kind of situation, it is preferable to use setusercontext(3). Examples of programs that do this [in various ways] include jail, inetd, ssh, su, login, cron, etc. This will lead to correct setting of MAC labels, resource limits, and other user properties -- for daemons this is quite useful. The description of "-g" seems not to match the implementation with respect to additional groups. I think I'd prefer it if we removed the "-g" option and just used setusercontext() to set the user's groups, as this will reduce the potential for confusing behavior. Generally speaking, it is better to simply try to perform operations and see if they succeed than check the user ID and guess. As we move towards more flexible security policies, predicting privileges based on user ID will become less reliable. I would be tempted to remove the getuid() check for this reason. There appears to be a man page format bug relating to the -p argument. Robert N M Watson Computer Laboratory University of Cambridge