Re: Could svn check permissions?

From: Colin Watson <cjwatson_at_flatline.org.uk>
Date: 2003-09-09 03:32:03 CEST

On Mon, Sep 08, 2003 at 02:50:39PM -0400, John Peacock wrote:
> Jack Repenning wrote:
> >You can still setgid() if the user ID is a member of the group, I
> >think.

You may only setgid() if the provided gid is your real or saved gid, or
if you have "appropriate privileges", which almost always means uid 0.
As a general rule, group membership affects filesystem permissions
(access control, ability to chown() to that group) rather than process
permissions.

http://www.opengroup.org/onlinepubs/007904975/functions/setgid.html

> >If you're trying to set yourself to a group of which you're not a
> >member, that would be a little weird anyway...
>
> That's what I thought too, but it kept throwing errors. My reading of
> setgid() for unpriveledged processes was that it could only switch to the
> real or saved group, not some other group that the user happened to be a
> member of. Doesn't make much sense to me...

When dropping privileges you generally need to do setgroups(), then
setgid(), then setuid().

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Tue Sep 9 03:33:32 2003

This message: [ Message body ]
Next message: John Peacock: "Re: Could svn check permissions?"
Previous message: Philip Martin: "Re: [PATCH] Change head/tail call in build/buildcheck.sh"
In reply to: John Peacock: "Re: Could svn check permissions?"
Next in thread: John Peacock: "Re: Could svn check permissions?"
Reply: John Peacock: "Re: Could svn check permissions?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]