Re: [hackers] [slock] [PATCH] Properly drop privileges

From: Quentin Rameau <quinq_AT_fifth.space>
Date: Wed, 7 Sep 2016 19:43:25 +0200

> Hey Quentin,
>
> > Just a question though, do we need to set a group to drop privileges
> > to? Wouldn't getting the gid out of the user name sufficient?
>
> why cut the flexibility there?
It looks more simple to me to just give a user to drop privileges to.
A user always has a group attached to it, I guess if you setup a user
to give out all privileges, the corresponding group will be the same.
I'm not against having it, just raising the question as imho it
introduces (relative) configuration complexity rather than flexibility.

> If we extract the groups from a
> username, we would also have to deal with supplementary groups which
> as a big potential to fuck things up and impose security risks.
Why would we do that? There's no need to deal with supplementary
groups, only the principal group is sufficient.

> > Actually two questions, why the nogroup group instead of the nobody
> > group? I know that nogroup is present on OpenBSD, but the LSB
> > suggest the use of nobody:nobody[1] and doesn't evoke nogroup.
> > I don't really mind, just raising question. :)
>
> I don't know why the LSB suggests that and the LSB is a fucking mess
> anyway. Point is, the NFS-argument is kinda bad,
I was just taking LSB as an exemple of attempt to standardize things. ^^
The NFS isn't an argument, the pseudo-argument here is that nobody is
used as a group rather than nogroup. The NFS entry is not relevent.

> given for instance
> the NFSv4 implementation on Linux (idmapd) also sets nobody:nogroup.
Maybe on your distribution the packaged configuration use nogroup as a
group.
But have a look at idmapd sources, the default mapped user is nobody,
and the default mapped group is nobody too [1].

> It's also been the standard value for quark since forever.
How is that an argument at all? ^^

Again I'm not really against that, just asking for some opinions.
I've got yours!
(I just discussed your arguments there because honestly they're not
really sound, some erroneous :p)


[1] utils/idmapd/idmapd.c:90 #define NFS4NOBODY_GROUP "nobody"
Received on Wed Sep 07 2016 - 19:43:25 CEST

This archive was generated by hypermail 2.3.0 : Wed Sep 07 2016 - 19:48:14 CEST