On 01/17/2018 10:21 AM, William Hubbs wrote: > > For both A and B above I think you mean owner/group/permissions right?
Yep. >> 2. It should have a flag (say, --as=<user>[:group]) to make it run as >> an unprivileged user. Basically a portable "su -c". > > I'm not following why I need this. > >> 3. It should die if it's used in a directory that is writable by >> anyone other than itself or root. (If it's feasible, we might want >> to check the parent directories all the way up to the root; if I can >> write to "b", then I can write to "e" in /a/b/c/d/e.) > >> Since newpath can't modify existing paths, the aforementioned "--as" >> flag will be needed to avoid this error. > > Which error are you referring to? I don't follow you here. I don't see > how newpath not modifying existing paths is related to this. > If I want to create /run/foo and /run/foo/bar, both owned by the "foo" user, how would I do it using newpath? 1. I could create /run/foo with owner "foo", and then create /run/foo/bar with owner "foo". That can be done without modifying existing permissions, but it's not safe, because you wind up working as root in the directory /run/foo which is owned by the non-root "foo" user. If newpath disallows that unsafe operation, this approach is out. 2. I could create /run/foo as root:root, and then create /run/foo/bar as "foo". That much is safe, but then what do I do about /run/foo? It already exists, so if newpath will refuse to modify existing paths, then this approach is out too. That leaves... 3. I can create /run/foo with owner "foo", and then setuid to the foo user. Now, *as the foo user* I can create /run/foo/bar, which will be owned by "foo". There's no risk in doing so, because the "foo" user can only trick himself. Moreover, the directory is writable only by root and the OpenRC user (currently: foo) at that point, so the extra safety precautions don't get in the way.
