[Pkg-shadow-devel] patch for su - 2

Tomasz Kłoczko kloczek@zie.pg.gda.pl
Thu, 9 Jun 2005 20:01:11 +0200 (CEST)


  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--568760595-1862595330-1118340071=:21339
Content-Type: TEXT/PLAIN; charset=utf-8
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Sun, 5 Jun 2005, Alexander Gattin wrote:
[..]
> > So IMO this patch is still incomplet.
> > Some for above patrts are now implemented in SELINUX conditions.
>=20
> Could you give us an example how are they implemented,
> please?

Sorry but seems I'm wrong. SELinux contain some abilities for give access=
=20
for grant access to passwd file but for example give permission for change=
=20
uid/gid it is part of capabilities (IIRC CAP_SETGID and CAP_SETUID cap).
Probably look on some example code in libcap will help solve this.

BTW: probably it will be good extedn su/sg for allow change uid/gig with=20
change avalaible set of capabilities. For example it will be good perform=
=20
su to kind of service account with minimal set of CAP and and + CAP_BIND=20
for bind to port <=3D 1024 (after binding to network device is possible dro=
p=20
also this CAP).

kloczek
--=20
-----------------------------------------------------------
*Ludzie nie maj=B1 problem=F3w, tylko sobie sami je stwarzaj=B1*
-----------------------------------------------------------
Tomasz K=B3oczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek@rudy.mif.pg.gda.p=
l*
--568760595-1862595330-1118340071=:21339--