On Thu, Feb 20, 2020 at 04:11:47PM -0500, Chris Tyler via talk wrote: > Stewart, I'm having troubles understanding the author's reply to the SGID > suggestion. What I was proposing was to set things up with a command like > this (executed just once): > > BINARY=/path/to/binary ; sudo chmod 02711 $BINARY ; sudo chown root:disk > $BINARY > > ...Which would mean that the user would have their effective group ID > changed to 'disk' only while the binary was running. This means that, > during program execution, it would be have the same level of access as if > the user belonged to the 'disk' group; however, this would drop back to > their previous group membership when the binary exited. As a bonus, you > don't have to change the system group memberships. (The program in question > should, of course, guard against writing to the wrong device while it's > running, and prevent shell-outs).
It also means any user running the program has that access, not just users in group disk. That may be considered better or worse. I suppose the program could check that the user belongs to some other group meant for this program, but then it gets even more complicated. -- Len Sorensen --- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
