jason@3ws.com (Jason Burns) writes:
| Thanks to everyone who helped me get MD working. I thought that the README
| said that under POSIX the wrapper only had "to be setuid "root", even if the
| programs will be running as something other than "root".
I'm not sure I understand your use of the word "only" here. I gather it's
some aspect of the set[r][e]uid() calls under POSIX which requires the
program to be setuid root rather than majordom. I haven't checked the source
yet. At any rate the wrapper exists to run the programs as majordom (or
whoever), and to avoid Perl's tainting code the real uids must also be
majordom (not just the effective uid, which is all the setuid bit does).
So very early on the wrapper becomes majordom, and doesn't do any actual work
as root at all.
In case you've never had cause to look into this stuff, here's the deal:
- all processes have two sets of uid and gid values, the "real"
uid and gid, and the "effective" uid and gid
- under normal circumstances these are the same
- all UNIX permission checking is done against the "effective"
uid/gid
- the setuid (or setgid) bit on a program causes that process
(and any children it has - both sets are inherited) to run with
the effective uid/gid of the program's ownership
- since UNIX permissions are checked against the effective bits
this suffices to access priviledged files etc
- it is possible to look up both the real and effective values
if they are different you know you're running setuid
Perl checks this and turns on all sorts of special security
checks to protect scripts against being hacked (or at least
to warn users and authors)
- Perl errs on the side of caution, so many quite legitimate things
are considered tainted unless you take special care
- rather than untaint everything majordomo does, it is simpler to
set the real uid/gid to match the effective ones and thus not
appear to be setuid at all
- this is what the wrapper's for
under POSIX the constraints on setting the real uid are tighter
than on most BSD boxes (I suspect the POSIX constraints match
the SysV ones, though I've not checked - I do recall that they're
more conservative than the BSD/V7 ones)
you need to be root under POSIX to do this
At any rate, majordomo itself runs as majordom, real and effective.
The wrapper is only root long enough to achive this setting.
Cheers,
- Cameron Simpson
cameron@research.canon.com.au, DoD#743
http://www.dap.csiro.au/~cameron/
--
A Guru is not one who simply knows all the answers. Rather, a Guru is like
one who walks among the mountains, and by wandering around abit, can see the
horizon through long narrow canyons.
References:
|
|
