| 1 |
On 01/17/2018 10:21 AM, William Hubbs wrote: |
| 2 |
> |
| 3 |
> For both A and B above I think you mean owner/group/permissions right? |
| 4 |
|
| 5 |
Yep. |
| 6 |
|
| 7 |
|
| 8 |
>> 2. It should have a flag (say, --as=<user>[:group]) to make it run as |
| 9 |
>> an unprivileged user. Basically a portable "su -c". |
| 10 |
> |
| 11 |
> I'm not following why I need this. |
| 12 |
> |
| 13 |
>> 3. It should die if it's used in a directory that is writable by |
| 14 |
>> anyone other than itself or root. (If it's feasible, we might want |
| 15 |
>> to check the parent directories all the way up to the root; if I can |
| 16 |
>> write to "b", then I can write to "e" in /a/b/c/d/e.) |
| 17 |
> |
| 18 |
>> Since newpath can't modify existing paths, the aforementioned "--as" |
| 19 |
>> flag will be needed to avoid this error. |
| 20 |
> |
| 21 |
> Which error are you referring to? I don't follow you here. I don't see |
| 22 |
> how newpath not modifying existing paths is related to this. |
| 23 |
> |
| 24 |
|
| 25 |
|
| 26 |
If I want to create /run/foo and /run/foo/bar, both owned by the "foo" |
| 27 |
user, how would I do it using newpath? |
| 28 |
|
| 29 |
1. I could create /run/foo with owner "foo", and then create |
| 30 |
/run/foo/bar with owner "foo". That can be done without modifying |
| 31 |
existing permissions, but it's not safe, because you wind up working |
| 32 |
as root in the directory /run/foo which is owned by the non-root |
| 33 |
"foo" user. If newpath disallows that unsafe operation, this approach |
| 34 |
is out. |
| 35 |
|
| 36 |
2. I could create /run/foo as root:root, and then create /run/foo/bar as |
| 37 |
"foo". That much is safe, but then what do I do about /run/foo? It |
| 38 |
already exists, so if newpath will refuse to modify existing paths, |
| 39 |
then this approach is out too. |
| 40 |
|
| 41 |
That leaves... |
| 42 |
|
| 43 |
3. I can create /run/foo with owner "foo", and then setuid to the foo |
| 44 |
user. Now, *as the foo user* I can create /run/foo/bar, which will be |
| 45 |
owned by "foo". There's no risk in doing so, because the "foo" user |
| 46 |
can only trick himself. Moreover, the directory is writable only by |
| 47 |
root and the OpenRC user (currently: foo) at that point, so the extra |
| 48 |
safety precautions don't get in the way. |
Archives