[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: privilege separation daemon ?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: privilege separation daemon ?
From: "dreamwvr_(_at_)_dreamwvr_(_dot_)_com" <dreamwvr_(_at_)_dreamwvr_(_dot_)_com>
Date: Fri, 18 Apr 2003 12:24:08 -0600

On Fri, Apr 18, 2003 at 07:13:26PM +0000, mailing wrote:
> Hi,
> 
> I have been working on a little daemon that allows getpw* and getgr* calls to
> be performed via a unix socket. The goal was to be able to authenticate users
> while in a chroot()-ed environement without having to copy the passwd database
> inside the chroot(). It appeared to me that with a few modifications, this
> could be easily transformed into a 'privilege separation' daemon, allowing
> applications to authenticate users without having to run as root as long as
> they have enough privileges to read and write to the socket.
I have mixed feelings about this.. How I solved this problem
is to backup the usual pw databases. Then rip out everything but the 
single account that is usually required by say postgres and mysql;-)
in order to chown.. So what do they have in the chroot() 2 accounts
that do not have any real account access. They do not run or read 
access any non chrooted anything. That seems to me to defeat the purpose
even if it is well done.  

Best Regards,
dreamwvr_(_at_)_dreamwvr_(_dot_)_com

-- 
/*  Security is a work in progress - dreamwvr                 */
#                                                             
# Note: To begin Journey type man afterboot,man help,man hier[.]      
#                                                             
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]

Prev by Date: Re: Problem doing network install on IBM ThinkPad 755CD
Next by Date: Re: DARPA cancellation
Previous by thread: Re: Problem doing network install on IBM ThinkPad 755CD
Next by thread: Re: privilege separation daemon ?
Index(es):
- Date
- Thread

Visit your host, monkey.org