[prev in list] [next in list] [prev in thread] [next in thread]
List: perl5-porters
Subject: Re: Does Perl need a special variable for saved-UID/GID?
From: Alan Burlison <Alan.Burlison () sun ! com>
Date: 2004-05-31 22:58:51
Message-ID: 40BBB8AB.7020901 () sun ! com
[Download RAW message or body]
Paul Fenwick wrote:
> Ton Hospel directed me to
> http://www.cs.berkeley.edu/~hchen/paper/usenix02.html (Setuid
> Demystified -- Hao Chen, David Wagner and Drew Dean). The paper is very
> detailed and well thought-out, and suggests an API to allow navigation
> of the set*id calls in a cross-platform fashion. In particular, it
> suggests the implementation of:
>
> drop_priv_temp($uid)
> drop_priv_perm($uid)
> restore_priv()
>
> which have much simpler to understand semantics than the traditional
> POSIX calls. These cover the most commonly required privilege
> manipulations, and it *should* be possible to define these on all
> systems that have the three concepts of real/effective/saved UIDs.
FYI, Solaris 10 adds a new privilege model (Process Rights Management,
AKA Least Privileges), based on that used in Secure Solaris which allows
you very fine-grained control of process privileges. Solaris 10 comes
with two perl modules to allow you to manipulate the privileges. For
more on the S10 priveleges model, see the following links:
http://docs.sun.com/db/doc/816-4557/6maosrjfj?a=view
http://docs.sun.com/db/doc/816-4557/6maosrjh7?a=view
http://docs.sun.com/db/doc/816-4557/6maosrjgl?a=view
http://docs.sun.com/db/doc/816-4863/6mb20lvf5?a=view
--
Alan Burlison
--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic