1 |
On 01/17/2018 10:21 AM, William Hubbs wrote: |
2 |
> |
3 |
> For both A and B above I think you mean owner/group/permissions right? |
4 |
|
5 |
Yep. |
6 |
|
7 |
|
8 |
>> 2. It should have a flag (say, --as=<user>[:group]) to make it run as |
9 |
>> an unprivileged user. Basically a portable "su -c". |
10 |
> |
11 |
> I'm not following why I need this. |
12 |
> |
13 |
>> 3. It should die if it's used in a directory that is writable by |
14 |
>> anyone other than itself or root. (If it's feasible, we might want |
15 |
>> to check the parent directories all the way up to the root; if I can |
16 |
>> write to "b", then I can write to "e" in /a/b/c/d/e.) |
17 |
> |
18 |
>> Since newpath can't modify existing paths, the aforementioned "--as" |
19 |
>> flag will be needed to avoid this error. |
20 |
> |
21 |
> Which error are you referring to? I don't follow you here. I don't see |
22 |
> how newpath not modifying existing paths is related to this. |
23 |
> |
24 |
|
25 |
|
26 |
If I want to create /run/foo and /run/foo/bar, both owned by the "foo" |
27 |
user, how would I do it using newpath? |
28 |
|
29 |
1. I could create /run/foo with owner "foo", and then create |
30 |
/run/foo/bar with owner "foo". That can be done without modifying |
31 |
existing permissions, but it's not safe, because you wind up working |
32 |
as root in the directory /run/foo which is owned by the non-root |
33 |
"foo" user. If newpath disallows that unsafe operation, this approach |
34 |
is out. |
35 |
|
36 |
2. I could create /run/foo as root:root, and then create /run/foo/bar as |
37 |
"foo". That much is safe, but then what do I do about /run/foo? It |
38 |
already exists, so if newpath will refuse to modify existing paths, |
39 |
then this approach is out too. |
40 |
|
41 |
That leaves... |
42 |
|
43 |
3. I can create /run/foo with owner "foo", and then setuid to the foo |
44 |
user. Now, *as the foo user* I can create /run/foo/bar, which will be |
45 |
owned by "foo". There's no risk in doing so, because the "foo" user |
46 |
can only trick himself. Moreover, the directory is writable only by |
47 |
root and the OpenRC user (currently: foo) at that point, so the extra |
48 |
safety precautions don't get in the way. |