set user id for service ?

Matthew Johnson dbus at matthew.ath.cx
Thu Sep 14 14:00:42 PDT 2006


On Thu, 14 Sep 2006, Thiago Macieira wrote:

> frederic heem wrote:
>> Unfortunately, making the program setuid is considered insecure.
>> Another solution is to use sudo to restrict who can start the service,
>> i.e the messagebus
>
> Put the setuid-user program or wrapper in an 0500 messagebus-owned
> directory.

It's still not very elegant.

>
> But if anyone can start the program (via D-Bus), what's the harm in
> letting anyone start the program directly?
>

restricting environment?

It's generally considered good practice to reduce the number of setuid
things and the amount of trusted code. It's better if one person writes
well known and studied code that has to be trusted than twenty people
write unscrutinized code which has to be run as root.

Matt

-- 
Matthew Johnson
http://www.matthew.ath.cx/


More information about the dbus mailing list