[Serusers] setuid and setgid
Andrei Pelinescu-Onciul
pelinescu-onciul at fokus.fraunhofer.de
Fri Apr 30 22:12:29 CEST 2004
On Apr 28, 2004 at 01:03, Zeus Ng <zeus.ng at isquare.com.au> wrote:
> In the main.c file, there is a comment saying that 'we need to open fifo
> before do_suid() and start the fifo server after all the socket are
> initialized, to inherit them'. I'm wondering why SER has to do it like that.
You are using unstable (cvs HEAD branch). Since this is a moving target,
you should send mails realted to it on serdev at lists.iptel.org. serusers is
about stable.
>
> Can't SER lower its privileges first (do_suid), then open fifo and start the
> fifo server? The reason being that I want to run SER with an unprivileged
> user. With the current implementation, the fifo file will be created by root
> which is not accessible to anyone else. Unless I change the fifo_mode to
> 0666, which I don't want to, I can't make SER more secure and yet
> accessible.
Check out the latest cvs (from yesterday).
Paste from the NEWS file:
sock_mode = <permissions> (e.g. sock_mode=0600: default value = 0660)
ser unix sockets and fifo will be created with this permissions
(old name fifo_mode is still supported, but deprecated)
sock_user = username|"uid"
sock_group = groupname|"gid"
change the owner and/or group of the ser unix sockets or fifo
Short example config snippet:
sock_mode=0600 # ser socket/fifo mode
sock_user="www-data" # ser socket/fifo owner
sock_group=nogroup
user=nobody # ser user (ser will suid to it)
sock_* is synonim to fifo_* (e.g. sock_mode=0600 will be applied both to fifo
and unix sockets).
Andrei
More information about the sr-users
mailing list