Date: Mon, 9 Jun 1997 22:25:58 +0200 (CEST) From: Luigi Rizzo <luigi@iet.unipi.it> To: hackers@freebsd.org Subject: rtprio from non-root users ? Message-ID: <Pine.BSF.3.95q.970609215133.253A-100000@prova.iet.unipi.it>
next in thread | raw e-mail | index | archive | help
Hi,
I am trying to allow non-root accounts to use CD-R devices. Although
I might probably create some suid-root shell scripts, I don't like
much the idea and I would prefer a different approach, i.e. limiting
access to a group of allowed users and letting them to write their own
scripts.
I am running into a couple of problems, namely:
1) there is no command-level method (I think) to add groups to the
credential of a user. Probably this is a more general problem,
but fortunately this is only a nuisance, because it can be solved
by making allowed users "su" to the username with rights to use
the device.
2) (major problem) rtprio does not allow the necessary priority
settings if not superuser; but it cannot be made suid root since
it does not drop priority before execing the requested process.
Of the following two fixes:
a) modify the rtprio syscall so that it can set realtime priority
for a restricted set of users (but then, how to configure this
set ?);
b) modify the rtprio(1) command so that it can run suid-root, by
allowing RTP_SET for a configurable class of users (e.g.
/etc/rtprio.users) and calling setuid to restore the real uid
before calling execvp
which one looks better ? I am in favour of b) , but I am not sure
if it can cause security problems.
Cheers
Luigi
====================================================================
Luigi Rizzo Dip. di Ingegneria dell'Informazione
email: luigi@iet.unipi.it Universita' di Pisa
tel: +39-50-568533 via Diotisalvi 2, 56126 PISA (Italy)
fax: +39-50-568522 http://www.iet.unipi.it/~luigi/
====================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970609215133.253A-100000>