scott_n at xypro
Mar 12, 2009, 9:56 AM
Post #2 of 9
(1261 views)
Permalink
|
|
RE: Replace uid==0 tests with capability checks
[In reply to]
|
|
>
> What's still missing in OpenSSH is code which abstracts the idea of
the
> root user to the idea of a user with certain privileges. At least
> Linux/Solaris/Cygwin/Windows allow to specify finer grained user
> rights,
> so that certain types of tasks are not necessarily run by the root
> user.
> In case of Cygwin/Windows there isn't even a root user, just users
with
> certain privileges. Given that, the hardcoded checks for uid == 0
> don't
> make sense or rather, are too bulky in a couple of environments. To
> reiterate an idea I'm proposing for quite some time now:
>
> Instead of checks as
>
> if (getuid() == 0)
> do_foo_bar ();
> else
> EEEEK!
>
> openssh should have checks along the lines of
>
> if (uid_has_capability (getuid (), CAP_foo_bar))
> do_foo_bar ();
> else
> EEEEK!
>
> The function uid_has_capability() would be quite simple on systems
> which don't have fine-grained user rights:
>
> int
> uid_has_capability (uid_t uid, int capability)
> {
> return uid == 0;
> }
>
> but could be much more elaborate on other platforms like Linux,
> Solaris,
> or Cygwin. And, again, I'm willing to help with this stuff in terms
of
> coding.
>
I'd love to see something like this. I'm on an oddball system
(Tandem/HP NonStop),
where root isn't UID 0, and other stuff has ACL/permissions.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
|
