[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: dropping setuid/setgid privileges
From: |
James Youngman |
Subject: |
Re: dropping setuid/setgid privileges |
Date: |
Fri, 12 Jun 2009 10:53:33 +0100 |
On Fri, Jun 12, 2009 at 12:29 AM, Bruno Haible<address@hidden> wrote:
>> That is usually necessary but not always sufficient, for example see
>> http://blogs.sun.com/peteh/date/20050614
>
> What do you mean by "not always sufficient", other than kernel bugs and
> implementation limits? Assuming a small number of supplementary groups,
> all a process needs to have in order to access all files that a user has
> access to is that
> - the process' uid = the user's uid,
> - the process' gid and supplementary groups together contain all groups
> to which the user belongs.
> No?
Precisely; the number of supplementary groups may not be small, yet
the 16-group limit for NFS is very common. An implementation limit
which is almost universal is something for which one can't usefully
say "fix your implementation". But we're wandering away from the
main point; a ~full explanation is given at the URL quoted earlier.
James.
- Re: dropping setuid/setgid privileges, (continued)
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/07
- Re: dropping setuid/setgid privileges, James Youngman, 2009/06/07
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/07
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/08
- Re: dropping setuid/setgid privileges, Sergey Poznyakoff, 2009/06/10
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/11
- Re: dropping setuid/setgid privileges, Sergey Poznyakoff, 2009/06/11
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/11
- Re: dropping setuid/setgid privileges, James Youngman, 2009/06/11
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/11
- Re: dropping setuid/setgid privileges,
James Youngman <=
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/12
Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/08
- Re: dropping setuid/setgid privileges, Sam Steingold, 2009/06/08
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/08
- Re: dropping setuid/setgid privileges, Sam Steingold, 2009/06/08
- Re: dropping setuid/setgid privileges, James Youngman, 2009/06/09
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/09
- Re: dropping setuid/setgid privileges, Sam Steingold, 2009/06/09
- Re: dropping setuid/setgid privileges, Bruno Haible, 2009/06/09