[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntp-bugs
Subject:    [ntp:bugs] [Bug 2482] Droproot and Jail could work on Solaris.
From:       bugzilla-daemon () ntp ! org
Date:       2013-09-25 21:14:46
Message-ID: bug-2482-35-lBTinN5Vay () http ! bugs ! ntp ! org/
[Download RAW message or body]

http://bugs.ntp.org/show_bug.cgi?id=2482

--- Comment #11 from Brian Utterback <brian.utterback@oracle.com> 2013-09-25 21:14:46 UTC ---
I don't see the comment I thought I saw, but the idea is implicit in the
ifdefs. 

We only check for the user being null if we don't have linuxcaps and now
solarisprivs. This implies that a null user is okay if either of those are
defined. But the droproot option is only set if you give a user or specify a
jaildir. Since the check for user being null is inside the droproot if-clause,
either a user was given or a jail was given. My experience with these two
features suggest that changing users can cause a problem reading and writing
files you created before the change and using a jaildir can cause problems
accessing files by their new path names. But there is no way currently to drop
privs without choosing one of those two. The workaround is to specify the new
user as the same as the original user, but that means that you also need the
priv to change userid. 

I have some ideas about how to make the jaildir easier to use and to solve the
problem about changing file paths remotely being insecure, but it might be a
while before I get that ironed out. Much better to just allow droproot without
a user. I wonder if giving an empty string would work?

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
bugs mailing list
bugs@lists.ntp.org
http://lists.ntp.org/listinfo/bugs
[prev in list] [next in list] [prev in thread] [next in thread]