>>>>> On Mon, 5 Dec 2005 07:02:09 -0500, Robert Story <[EMAIL PROTECTED]> said:
Robert> Yes, though the persistent store can be written at other times
Robert> too. The temporary switch to root would probably be needed in
Robert> other scenarios too (I think some platforms use kernel APIs
Robert> that require root access).
/me is done thinking (yeah, right...)
Issues:
1) I don't think we should switch back to root to write files
2) I think the files should be owned by something other than root if
they need to be written to by an agent running as a different user.
3) I think the correct fix is actually to define which tokens are
allowed to exist in the persistent storage file. Something like
netsnmp_app_register_persistent_token("foo") which would specify
that token was legal to load from a persistent storage file.
That's easy enough to implement except for that part of having to
know what file the persistent storage is actually in. There are a
number of ways that could be done, of course, but my thinking is
that the easiest way is to put something like:
if (user != root && file_owner == process_owner &&
! netsnmp_ds_get_boolean(NEW_FLAG_FOR_ALLOW_ANYWAY)
token_is_not_registered_for_persistance(current_token)) {
log errer
skip to next line
}
That looks fairly hacky from the reading point of view, but it's
quite clean from a code-elsewhere point of view... I actually
think the above test should really only apply if the user was being
downgraded (IE, if I start it as "me" and don't say to switch to
something else then don't issue the error)
--
Wes Hardaker
Sparta, Inc.
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
