Re: setuid for priv sockets?
Re: setuid for priv sockets?
- Subject: Re: setuid for priv sockets?
- From: "Duane Murphy" <email@hidden>
- Date: Mon, 27 Oct 2008 15:49:36 -0700
--- At Mon, 27 Oct 2008 17:49:35 -0400, Stephen Hoffman wrote:
>Damien Sorresso writes:
>
>> We're strongly (and I do mean strongly) trying to move people off of
>> setuid binaries. If it's a command line application, you can just
>> require that the user run it as root or with sudo if performing
>> actions that require access to this privileged port.
>
>Not passing out root or sudo access is a common practice in various
>production and security-conscious environments. Within those
>environments (and I deal with folks that are severely allergic to
>passing out root access), setuid can be an invaluable palliative.
>
>I'm quite willing to move to another approach or environment or tool or
>interface here. But suggesting that they pass out root access as a
>solution for starting up certain command-line tools is just going to
>get me a heaping raft of static with these good folks.
>
>Please don't take away setuid without an alternative. And no, sudo
>isn't a solution.
In the past BSDLLCTest <http://developer.apple.com/samplecode/BSDLLCTest/
index.html> and MoreAuthSample have been the reference for how to o
similar functions. The solution described can use setuid root tools (set
afterward). Might be worth a look.
In the past, it has been suggested that if you follow Apple's
suggestions they will at least try and help with a new solution if one
is required. There are lots (and I mean lots) of us that use solutions
similar to MoreAuthSample.
...Duane
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden