2008/1/7, Lucas C. Villa Real <[EMAIL PROTECTED]>: > On Jan 6, 2008 8:34 PM, Carlo Calica <[EMAIL PROTECTED]> wrote: > > > > So what would happen in the above cron when using a uid/gid belonging > > > > to someone else. > > > > > > I think it would just work, as the uid/gid "was there". > > > > Yeah it should work. May introduce a vulnerability through the shared > > uid/gid. it would be horrible if cron shared ids with apache. I'd > > recommend a policy where fixed ids like that start at 99 and work down > > (avoid ISO shipped 0+, and dynamic 100-999). May need to patch > > sources, but really the only secure choice. Am I being paranoid? > > That makes sense. Since there's no "well known ids" (except for the > super-user), I think that's fair. I've just made that change to the > patch. > [...] > > The new patch finds attached. More comments? >
Add a check so that get_next_system_id() doesn't loop above 1000? A warning should be issued if adding the user/group fails. One should be able to specify $HOME location for the user. 'useradd' and 'groupadd' have to be wrapped with $sudo_exec. Maybe add code in RemoveProgram and SymlinkProgram to remove groups/users when an application is removed. -- /Jonas _______________________________________________ gobolinux-devel mailing list gobolinux-devel@lists.gobolinux.org http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
