develooper Front page | perl.perl5.porters | Postings from May 2004

Re: Does Perl need a special variable for saved-UID/GID?

Thread Previous | Thread Next
From:
Alan Burlison
Date:
May 31, 2004 15:59
Subject:
Re: Does Perl need a special variable for saved-UID/GID?
Message ID:
40BBB8AB.7020901@sun.com
Paul Fenwick wrote:

> Ton Hospel directed me to 
> http://www.cs.berkeley.edu/~hchen/paper/usenix02.html (Setuid 
> Demystified -- Hao Chen, David Wagner and Drew Dean).  The paper is very 
> detailed and well thought-out, and suggests an API to allow navigation 
> of the set*id calls in a cross-platform fashion.  In particular, it 
> suggests the implementation of:
> 
>     drop_priv_temp($uid)
>     drop_priv_perm($uid)
>     restore_priv()
> 
> which have much simpler to understand semantics than the traditional 
> POSIX calls.  These cover the most commonly required privilege 
> manipulations, and it *should* be possible to define these on all 
> systems that have the three concepts of real/effective/saved UIDs.

FYI, Solaris 10 adds a new privilege model (Process Rights Management, 
AKA Least Privileges), based on that used in Secure Solaris which allows 
you very fine-grained control of process privileges.  Solaris 10 comes 
with two perl modules to allow you to manipulate the privileges.  For 
more on the S10 priveleges model, see the following links:

http://docs.sun.com/db/doc/816-4557/6maosrjfj?a=view
http://docs.sun.com/db/doc/816-4557/6maosrjh7?a=view
http://docs.sun.com/db/doc/816-4557/6maosrjgl?a=view
http://docs.sun.com/db/doc/816-4863/6mb20lvf5?a=view

-- 
Alan Burlison
--


Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About