MOO-cows Mailing List Archive
[Prev][Next][Index][Thread]
Re: Fun with FUP and root.
-
Date: Wed, 26 Feb 1997 13:12:07 PST
-
From: "Erik R. Ogan" <erik@galt.com>
-
cc: MOO-Cows@parc.xerox.com
-
Content-Type: text/plain; charset=us-ascii
-
In-reply-to: Your message of "Wed, 26 Feb 1997 11:02:23 PST." <199702261902.LAA21813@Xenon.Stanford.EDU>
> Is "nobody" really correct?
No, setuid nobody is a bit paranoid, but it is the only
unprivleged username that is likely to be found on a UN*X
system (of course, you can't guarantee that...)
> Can that user write the checkpoints?
Well, sure, if you have the directory permissions set properly.
But that IS a good point. If a server running as root does an
invisible setuid, there's a pretty good chance it will lose the
ability to write to its working directory. (This problem is not
specific to nobody, just a lot more likely) A server that can't
(seem to) write checkpoints out of the box is definitely a Bad
Thing.
One might argue that the server should fail to start if it
cannot write a checkpoint (I haven't looked at this code
since 1.7.x, and I can't remember if it does)
On the other hand, it might be better to take Paul Snow's
approach, and handle the uid swap someplace external to the
server. But then you get back to the problem of binding a
port below 1024.
Having the server silently setuid (or even noisily) suddenly
seems a bit heavy-handed to me...on the other hand, I DO
think it would be a good idea to provide a way to bind a lower
port easily, yet continue running as a specific (non-root)
user.
Hmm, maybe if the user to run as could be set through a
command line option, or an environment variable.
Unfortunately there's no clear path on what should be done.
(probably more than my allotted $0.02 (in any currency))
--
Erik R. Ogan Mail with Subject:
Webmaster/Applications Programmer "send public key"
GALT Technologies / Intuit, Inc. Returns my PGP public key
4E C8 9E AC 2E 79 1E 26 62 4E 40 AA A9 52 98 21
Follow-Ups:
Home |
Subject Index |
Thread Index