On 11/16/2010 03:36 PM, Dhaval Giani wrote: > On Mon, Nov 15, 2010 at 2:59 PM, Jan Safranek<[email protected]> wrote: >> As Fedora security guys pointed out in >> https://bugzilla.redhat.com/show_bug.cgi?id=646478, suid is bad. We use suid >> only to allow /bin/cgexec write access to /var/run/cgred.socket. So, let's >> add >> new harmless 'cgred' group, modify the daemon to allow this user write >> access to >> the socket and use sgid (to harmless 'cgred' group) on /bin/cgexec instead of >> suid (to root). >> >> I am not sure where all the bits belong, especially the later two patches >> could >> be Fedora specific, if you want. >> > > Right, so I am bit nervous with these patches. Have you tested them > enough? I think they should go in v0.37, but I am not so sure myself. > I will trust your judgement on this one. Regarding 2 and 3, we have > carried such patches in the past, and I don't think it a big deal. At > the very least for any other distro its a good template to base on.
Yes, I have tested them, that's why there is lot of debug output in them as sgid executable cannot be checked with strace or gdb :). Jan ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev _______________________________________________ Libcg-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/libcg-devel
