OT: setrlimit equivalent to prevent unlink or truncate

Oliver Fromme check+k1tvww00rsyn872l at fromme.com
Mon Jun 2 02:30:58 PDT 2008

Johannes Hofmann wrote:
 > Yes, the latter. In a program I want to exec another binary with
 > limited privileges.

The traditional UNIX way is to exec that other binary as
an unprivileged user, e.g. "nobody".  The problem is that
you must be root to call setuid() in the first place.
You can use sudo(8) or super(1) for that purpose.

Of course the problem could be solved in a much better
way with mandatory access control (MAC), which requires
appropriate support from the OS.

Best regards

Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

More information about the Users mailing list