[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: Running part of the code with superuser privileges
From: Iván Forcada Atienza <ivan () swscanner ! org>
Date: 2006-05-28 23:17:39
Message-ID: 20060528231739.GB23108 () masao ! forcada ! info
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[dom, 28 may 2006 13:07:18 -0400] - Michael Pyne:
> On Sunday 28 May 2006 12:02, Iván Forcada Atienza wrote:
> > Is it possible?? Any other workaround to achieve this?? Examples, docs??
> >
> It's possible, but the application would need to be run as root (or as setuid
> root).
>
> Basically what you need to do is that after the fork call, you can drop
> privileges in the child process immediately to act as a normal user, while
> the parent process will keep the privileges of root.
I feared that this was the only possibility :-(. The goal was to avoid
de use of kdesu at start, and only ask the user for the root's password
when it's needed.
Now I know that can only be achieved calling to a separate process...
> This brings up a whole host of issues though, such as how to communicate
> between the two processes (you'll have to use pipe() before fork() for
> example), and how to do all this securely.
Yes, I thought about using pipes for IPC. However... I didn't realised
I's security implications :-S
> If it were me I'd just have a separate program that handles interfacing with
> the network stuff, and only with the network stuff.
I'll do that way. In fact this 'separate program' will be ifconfig and
iwconfig so it's easy ;-)
> Have it setuid root and
> call it as necessary. And before I do any of this, I'd read the Secure Linux
> and UNIX Programming HOWTO by David Wheeler:
> http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO.html
Good link!! I'll bookmark and read it ;-)
> I don't expect you to read *all* of it of course, but it does contain very
> useful advice on ways to write programs that require high security in a
> UNIX-like environment.
>
> Regards,
> - Michael Pyne
Thanks Michael :-)
--
__________________________________________________________________
Iván Forcada Atienza:
correo: ivan@forcada.info
jabber: ivanfor@jabber.guadawireless.org
------------------------------------------------------------------
Nodo guada21 en GuadaWireless usando Debian GNU/Linux:
http://el21.guadawireless.net
------------------------------------------------------------------
"Software is like sex: it's better when it's free" (Linus Torvalds)
[Attachment #5 (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic