[PATCH] Hal privilige seperation

[Artem Kachitchkine]

> I must admit that there wasn't a big motivation for this. I'm not very familiar 
> with how temporarily raising works and what the security implications of that
> are (and if it's portable to other systems). Couldn't some injected code then
> also temporarily raise priveleges for example?

Schematically:

drop_privileges()
{
	seteuid(hal_uid);
	setegid(hal_gid);
}

raise_privileges()
{
	seteuid(saved_uid);
	setegid(saved_gid);
}

main()
{
	saved_uid = getuid();
	saved_gid = getgid();

	drop_privileges();
	raise_privileges();
	/* exec() helper here */
	drop_privileges();
	...
}

Security-wise, this is nearly as safe as the hald-runner approach, but 
less complex and more efficient.

> Otoh i think really seperating it makes it easier to review, as it's really 
> only a part of the code that runs as root.

That I agree.

Please understand that I am not trying to criticize the patch - as far 
as I'm concerned, privilege separation is always better than no 
privilege separation. I'm just making sure all options are considered, 
that we make well-informed design decisions.

-Artem.