Hi,
В сообщении от Среда 17 Сентябрь 2003 15:30 Chris Rankin написал:
> --- Andrey S Pankov <casper@kbuapa.kharkov.ua> wrote:
> > And what about (NOT implemented yet)?..
> > [Gatekeeper::Main]
> > LogFile=
> > TraceLevel=
> > ...which also need to be loaded before config file
> > is initialized.
> > If we are root, we can change ownership on logfile
> > before dropping privileges,
>
> We could.
>
> > but if we are suid root it is not possible I
> > think...
>
> Yes it is. But we aren't talking about running suid
> root anyway.
No, we aren't... We are talking about security...
>
> > It will be nice to have LogFileMode= option and
> > PidFile= option, just for
> > completeness
>
> "Just for completeness" is no reason at all. It's just
> "featuritis" - pointless feature-bloat.
>
You can have your own opinion... but I can't agree with you...
> > I thing one doesn't need so "descriptive" config
> > vars, I'd rather like them to
> > be:
> > #
> > # User/Group: The name (or #number) of the
> > user/group to run GnuGK as.
>
> Well, this is moot. But considering the GateKeeper
> already has a concept of a "User" (as in "caller")
> then I strongly disagree here anyway. Descriptive is
> good. It stops users getting confused.
>
I don't know what "concept" you are talking about... Your workstation has such
a concept of "user" to be "person working on it", but this doesn't confuse
neither you nor your workstation, and GateKeeper itself (having
above-mentionned "concept") doesn't care in any case about what "concepts" we
have all inside and around us... ;)ppp
GnuGK may have in its config:
[MySQLAuth]
Host=localhost
Database=billing
User=cwhuang
Password=123456
..."User" referring to _internal_ mysql privilege system... Are you getting
confused...? ;)))
> > > Also I would rather skip test for
> >
> > IsPrivilegedUser() - is it necessary?
> >
> > One MUST have root privileges to switch (e.g. be
> > setuid root), but it is not
One MUST have root privileges = e.g. be setuid root
> > necessary to check if we are 'root' as
> > PProcess::SetUserName / SetGroupName()
> > returns FALSE on failure.
>
> The purpose of the setuid() call is not to be "setuid
> root" but to stop being root *permanently*. As such,
Are you sure you feel difference in being root and have root privileges?
> we *care* if SetUserName() fails if we are root, and
> don't expect SetUserName() to work at all if we are
> not. So it's not enough to check if SetUserName()
> fails.
I don't see any difference, setuid() works not only for root account...
>
> For reference, setuid() sets the real, effective and
> saved UIDs all at once, and is what /bin/login does.
DESCRIPTION
setuid sets the effective user ID of the current process. If the
effective userid of the caller is root, the real and saved user ID's
are also set.
'man 2 setuid' is more descriptive... anyway, thank you for explanations...
>
> Chris
--
Best regards,
Andrey S Pankov.
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
List: Openh323gk-users@lists.sourceforge.net
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id┘49
Homepage: http://www.gnugk.org/
