On 21/01/16 18:12, Charles Duffy wrote: > I have a setuid-root executable
... and now you have two problems? :-) setuid executables are inherently dangerous: they run with one set of privileges (their euid), but their environment variables, resource limits, inherited file descriptors, etc. are controlled by a different, usually lower set of privileges (their real uid). Every piece of code run in this rather precarious situation needs to be designed to distrust things that normal application code can safely trust. Executables that are not specifically designed to be run under setuid (including systemctl), and libraries that are not specifically designed to be setuid-safe, should not be run while setuid. If you are completely confident that your setuid executable has sanitized its environment - most importantly, cleaning the environment via a whitelist, like <http://cgit.freedesktop.org/polkit/tree/src/programs/pkexec.c> does - then you can set the real and effective uids to the same value, effectively taking responsibility for dealing with the security boundary. -- Simon McVittie Collabora Ltd. <http://www.collabora.com/> _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel