From: "Dmitry V. Levin" <ldv@alt-linux.org>
To: devel@altlinux.ru
Subject: Re: [devel] Re: About masqmail
Date: Wed, 10 Oct 2001 13:08:10 +0400
Message-ID: <20011010130810.C29738@ldv.office.alt-linux.org> (raw)
In-Reply-To: <20011010115734.B3000@dhcp4.msc.masq>
[-- Attachment #1.1: Type: text/plain, Size: 1038 bytes --]
On Wed, Oct 10, 2001 at 11:57:34AM +0400, Sergei Aranovsky wrote:
> > Здравствуйте Сергей!
> > Как я понял Вы сейчас готовите пакет masqmail для Сизифа.
> > В этом пакете присутствует SUID-ная программа.
> > Предлагаю обсудить это (в devel) так как (вывод после краткой беседы с
> > Димой Левиным) вполне реально от этого избавиться.
> >
> > Как вы на это смотрите?
>
> Хорошо смотрю. Переходим в devel.
>
> Сделать masqmail не setuid-ной конечно можно было бы. Но:
>
> 1. Как быть с 25-м портом? Или правило младших портов обходится?
Да (см. attachment).
> 2. Накроется медным тазом доставка при помощи procmail (см. ключ -d).
А как с этим быть?
Regards,
Dmitry
+-------------------------------------------------------------------------+
Dmitry V. Levin mailto://ldv@alt-linux.org
ALT Linux Team http://www.altlinux.ru/
Fandra Project http://www.fandra.org/
+-------------------------------------------------------------------------+
UNIX is user friendly. It's just very selective about who its friends are.
[-- Attachment #1.2: drop_root.c --]
[-- Type: text/plain, Size: 2041 bytes --]
/*
drop_root
Copyright (C) 2000 Dmitry V. Levin <ldv@fandra.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/* Compile with libcap-devel installed, link with -lcap */
#include <unistd.h>
#include <syslog.h>
#include <pwd.h>
#include <grp.h>
#include <sys/capability.h>
#include <sys/prctl.h>
int drop_root( uid_t uid, gid_t gid )
{
cap_t caps;
/* Keep capabilities after setuid call */
if ( prctl( PR_SET_KEEPCAPS, 1 ) < 0 )
{
syslog( LOG_ERR, "prctl failed: %m" );
return 1;
}
/* Drop supplementary groups */
if ( setgroups( 0, NULL ) < 0 )
{
syslog( LOG_ERR, "setgroups failed: %m" );
return 1;
}
/* Setgid */
if ( setgid( gid ) < 0 )
{
syslog( LOG_ERR, "setgid to gid=%d failed: %m", gid );
return 1;
}
/* Setuid */
if ( setuid( uid ) < 0 )
{
syslog( LOG_ERR, "setuid to uid=%d failed: %m", uid );
return 1;
}
/* Initialize capability state */
caps = cap_from_text( "cap_net_bind_service=epi" );
if ( !caps )
{
syslog( LOG_ERR, "cap_from_text failed: %m" );
return 1;
}
/* Set capabilities */
if ( cap_set_proc( caps ) < 0 )
{
syslog( LOG_ERR, "cap_set_proc failed: %m" );
return 1;
}
/* Cleanup */
if ( cap_free( caps ) < 0 )
{
syslog( LOG_ERR, "cap_free failed: %m" );
return 1;
}
syslog( LOG_DEBUG, "running as uid(%d)/gid(%d) euid(%d)/egid(%d)", getuid(), getgid(), geteuid(), getegid() );
return 0;
}
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
next prev parent reply other threads:[~2001-10-10 9:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-10-10 7:57 ` Sergei Aranovsky
2001-10-10 9:08 ` Dmitry V. Levin [this message]
2001-10-11 14:51 ` Sergei Aranovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20011010130810.C29738@ldv.office.alt-linux.org \
--to=ldv@alt-linux.org \
--cc=devel@altlinux.ru \
--cc=devel@linux.iplabs.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Team development discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
public-inbox-index devel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git