From: Liam Helmer (linuxlists_at_thevenue.org)
Date: Thu 13 May 2004 - 21:19:50 BST
I think that you're honestly better off creating some kind of pipe or
socket where the commands come through, which has a list of functions
that it can provide. That way you can have a list, and see if there's a
match for what's sent. It'd really be quite hard to implement a SUID
type of arrangement here in a way that's secure... a lot of variables.
Maybe a pipe running as a use on the box that calls sudo with the
command, and then you have sudo do the command checking for you, etc.
That doesn't sound too difficult actually... hmm.
On Thu, 2004-05-13 at 18:00, Chris Wright wrote:
> * Gregory (Grisha) Trubetskoy (grisha_at_ispol.com) wrote:
> > Has there been any discussion of having a feature whereby a binary would
> > be executed with higher capabilities automatically?
> This can be done with two ways. Normail setuid-root will elevate, and
> then some LSM modules like SELinux and LIDS can define which
> capabilities a program will get when it's exectued.
Vserver mailing list