* Alexander Farber <[EMAIL PROTECTED]> [2007-01-22 12:54]:
> Hello,
>
> I'm writing a small network daemon program and
> want it to drop priviliges after it opens a listening port.
>
> I've looked at the several programs in /usr/src/usr.sbin
> and many do it in the similar way:
>
> 1) getpwnam(NTPD_USER) to find its home dir
> 2) check that the home dir belongs to root and isn't group-world writable
> 3) chroot() into that dir and then chdir("/")
> 4) setgroups(1, pw->pw_gid) to limit it to just 1 group
> 5) Finally call setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid)
> and setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)
>
> I have 2 questions:
>
> 1) Can't a compromised process change back to its saved root uid?
no, because...
> 2) Why is setresuid() used and not setuid()? My program is
> for OpenBSD, but I also want to keep it runnable on Linux
> and Cygwin - and the latter one doesn't offer setresuid().
> What was the reason to introduce setresuid() on BSD?
...setresuid sets the real, saved, and effective uids.
the answer why they are used is right in teh manpage...
STANDARDS
These functions are not part of the IEEE Std 1003.1 (``POSIX'') specifi-
cation. While they are not completely portable, they are the least am-
biguous way to manage user and group IDs.
> Also is there maybe a good guide on priv. sep. on OpenBSD?
looking at the newer demons that use privsep is teh best guide out
there. I suggest ntpd, it's relatively simple and clean.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
