In some cases it is helpful to impersonate the user, at
least as far as
the permissions checking done by the BSD subsystem of the
kernel. A
single-threaded daemon can do this using seteuid and
setegid. These set
the effective user and group ID of the process as a whole.
This will
cause problems if your daemon is using multiple threads to handle
requests from different users. In that case you can set the effective
user and group ID of a thread using pthread_setugid_np.
This was
introduced in Mac OS X 10.4.
However there is no other documentation, description, or man
page for these functions in Tiger or Leopard. Even google
searches didn't seem to help (mostly Linux forums complaining
about bugs).
About the only thing I've found is in the darwin source, where
pthread_getguid_np() is implemented as
But I can't find any documentation or description for SYS_gettid
or SYS_settid either.
Playing around with it, I've discovered that you can't call
pthread_getugid_np until you've called pthread_setugid_np. And
it appears that pthread_setugid_np sets the uid and gid rather
than the euid and egid. This makes its functionality somewhat
limited for me. If the thread was running as root, once its uid
is changed to a regular user the thread doesn't have the
permissions needed to change it back again.
I'm primarily interested in finding out if there's a way to
"unset" the effect of pthread_setugid_np and restore the thread
to the original uid and euid of the process.
