On Wed, Dec 06, 2000 at 01:34:05AM -0900, Ethan Benson wrote: > > > I think is easiest to made it setuid with the new user. > > no that is the most dangerous way as it allows any arbitrary user on > the system to start the daemon with elevated privileges. sorry to reply to myself, but i also wanted to point out that set[ug]id does not work for reducing privileges, only elevating. so even if your daemon is setuid to a non-root user if its started by root it will still run as root, again observe: [root@socrates /root]# id uid=0(root) gid=0(root) groups=0(root),110(wheel) [root@socrates /root]# cp /usr/bin/id . [root@socrates /root]# chown build.src id [root@socrates /root]# chmod 6755 id [root@socrates /root]# ls -l id -rwsr-sr-x 1 build src 10628 Dec 6 01:38 id [root@socrates /root]# ./id uid=0(root) gid=0(root) euid=1001(build) egid=40(src) groups=0(root),110(wheel) [root@socrates /root]# -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpjIlOVTxdn8.pgp
Description: PGP signature