Hello,
I'm writing a small network daemon program and
want it to drop priviliges after it opens a listening port.
I've looked at the several programs in /usr/src/usr.sbin
and many do it in the similar way:
1) getpwnam(NTPD_USER) to find its home dir
2) check that the home dir belongs to root and isn't group-world writable
3) chroot() into that dir and then chdir("/")
4) setgroups(1, pw->pw_gid) to limit it to just 1 group
5) Finally call setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid)
and setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)
I have 2 questions:
1) Can't a compromised process change back to its saved root uid?
2) Why is setresuid() used and not setuid()? My program is
for OpenBSD, but I also want to keep it runnable on Linux
and Cygwin - and the latter one doesn't offer setresuid().
What was the reason to introduce setresuid() on BSD?
(Yes I've read the man pages + few Stevens books I have,
and also looked at OpenSSH portable)
Also is there maybe a good guide on priv. sep. on OpenBSD?
Regards
Alex
--
http://preferans.de
