Combining setuid/gid with our native semantics of users and groups was a
bit challenging.

I don't believe POSIX accumulates authorities.

What you might be seeing is that when a user has multiple groups, setegid()
adds the first group as the first group. The rest of the groups remain in
the list. If you don't want them to, you may have to use a combination of
setgroups(), and setegid().

These should not remain in effect after the program that adds them
completes (i.e. removed from the stack).  If you are convinced that they
really do, you should probably report it as a bug....

Patrick Botz
Senior Technical Staff Member
eServer Security Architect
(507) 253-0917, T/L 553-0917
email: botz@xxxxxxxxxx


security400-bounces@xxxxxxxxxxxx wrote on 03/10/2005 07:05:08 PM:

> Thank you for explaining this. Nothing I have tested has shed any light
> on the IFS file flags so your description really is helpful. It sounds
> like I should have used PASE for my tests rather than Qshell. I used the
> APIs like qsysetegid, qsyseteuid and qsysetgroups quite a bit. It was
> only through a lot of trial and error that I was able to build an
> understanding of these APIs because the manual only has a line or two
> describing what they do. One difference I did find with the set
> effective APIs is that they don't reset authorities when the program
> ends like adopt and seem to be cumulative until you do a swap.
>
> David Morris
>
> >>> botz@xxxxxxxxxx 03/10/05 4:53 PM >>>
> I'm a little rusty on this, but here's what I recall...
>
> SETUID is a POSIX concept that I think of as a combination of ADOPT
> and
> SWAP when applied to executable IFS programs (i.e. PASE).  I don't
> recall
> for sure but it may cause some other type of behavior when applied to
> non-executable IFS files.
>
> It's like adopt in that it uses the authority of the owner of the
> file.
> It's like SWAP in that it only uses that authority while the program
> is
> running. I'm pretty sure it only applies to executable programs in IFS
> (i.e. PASE).  It is not available for native OS400 programs.
>


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.