Combining setuid/gid with our native semantics of users and groups was a bit challenging. I don't believe POSIX accumulates authorities. What you might be seeing is that when a user has multiple groups, setegid() adds the first group as the first group. The rest of the groups remain in the list. If you don't want them to, you may have to use a combination of setgroups(), and setegid(). These should not remain in effect after the program that adds them completes (i.e. removed from the stack). If you are convinced that they really do, you should probably report it as a bug.... Patrick Botz Senior Technical Staff Member eServer Security Architect (507) 253-0917, T/L 553-0917 email: botz@xxxxxxxxxx security400-bounces@xxxxxxxxxxxx wrote on 03/10/2005 07:05:08 PM: > Thank you for explaining this. Nothing I have tested has shed any light > on the IFS file flags so your description really is helpful. It sounds > like I should have used PASE for my tests rather than Qshell. I used the > APIs like qsysetegid, qsyseteuid and qsysetgroups quite a bit. It was > only through a lot of trial and error that I was able to build an > understanding of these APIs because the manual only has a line or two > describing what they do. One difference I did find with the set > effective APIs is that they don't reset authorities when the program > ends like adopt and seem to be cumulative until you do a swap. > > David Morris > > >>> botz@xxxxxxxxxx 03/10/05 4:53 PM >>> > I'm a little rusty on this, but here's what I recall... > > SETUID is a POSIX concept that I think of as a combination of ADOPT > and > SWAP when applied to executable IFS programs (i.e. PASE). I don't > recall > for sure but it may cause some other type of behavior when applied to > non-executable IFS files. > > It's like adopt in that it uses the authority of the owner of the > file. > It's like SWAP in that it only uses that authority while the program > is > running. I'm pretty sure it only applies to executable programs in IFS > (i.e. PASE). It is not available for native OS400 programs. >
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.