OT: setrlimit equivalent to prevent unlink or truncate
Oliver Fromme
check+k1tvww00rsyn872l at fromme.com
Mon Jun 2 02:30:58 PDT 2008
Johannes Hofmann wrote:
> Yes, the latter. In a program I want to exec another binary with
> limited privileges.
The traditional UNIX way is to exec that other binary as
an unprivileged user, e.g. "nobody". The problem is that
you must be root to call setuid() in the first place.
You can use sudo(8) or super(1) for that purpose.
Of course the problem could be solved in a much better
way with mandatory access control (MAC), which requires
appropriate support from the OS.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
More information about the Users
mailing list