On Fri, Oct 16, 2009 at 12:29:47AM +0200, Matthias Kilian wrote: > On Thu, Oct 15, 2009 at 05:43:01PM +0100, Edd Barrett wrote: > > Here is a port of ziproxy-2.7.2 based upon and older attempt I had > > knocking about. > > > > * makes new user and group. > > * scaffolds log directory. > > * add MESSAGE to inform safe execution. > > > > Unfortunately, ziproxy has no code to drop it's privileges. I have > > copied the method postgresql uses to do so. This means giving the new > > user a proper shell. > > I'd just omit the creation of the _ziproxy group and user, since > it's not technically used by ziproxy itself (like for privilege > dropping). The MESSAGE could just mention that ziproxy doesn't drop > privileges and that it shouldn't better not run with root privileges. > > Also, the SEPARATE_BUILD line looks odd. To my knowledge, > SEPARATE_BUILD=concurrent isn't supported any longer. > > Apart from this, the port looks fine to me.
OK, after discussion with kili and sthen, here is a hacked version which drops privileges *if* run as root (to _ziproxy). Via this method the new user can have a /sbin/login shell. Thanks sthen and kili for the ideas and example code. -- Best Regards Edd Barrett http://students.dec.bmth.ac.uk/ebarrett
ziproxy2.tgz
Description: application/tar-gz