[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unowned processes and who controls them (was: Re: passwd entry for uid -1

On Tue, Jun 05, 2001 at 10:42:49PM +0200, Robert Bihlmeyer wrote:
> Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de> writes:
> > Anyway, the code is there, but processes started at boot time are not in
> > different login groups, I think.  You would want them to be there, though.
> > In fact, I think you would loose all security at the login shell if there
> > were processes without owner started at boot time, as login groups are only
> > created after a login.
> Is that stuff in a special login group, or no login group at all?

I don't know.  It should be easy to find out by running a small program
printing getlogin() in the boot scripts.

But it seems that all login shells run in different login groups (all named
"login", but the name is not what matters). So I don't think you have access
to the root programs through the login shell.

> Anyway, it should be possible to put those jobs each in a differnt
> group easily. We're root, then, after all.

Of course.  A very short program could serve as a launcher application, to
fork off a daemon in a new login group, and strip all uids from it.
> Don't forget that already owned capabilities (mainly open file
> handles -- what about other port rights??)

If you have authenticated yourself, you stay authenticated until a
reauthentication is performed.  The server keeps track of the uids as
provided by the hand shake.

> should also stay available.



`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann              GNU    http://www.gnu.org    marcus@gnu.org

Reply to: