Re: setreuid

[Baurjan Ismagulov <ibr at ata dot cs dot hun dot edu dot tr>]

Hello,

hope you still remember this thread :)
(http://cygwin.com/ml/cygwin/2003-10/msg00914.html).

On Fri, Oct 17, 2003 at 03:52:03PM +0200, Corinna Vinschen wrote:
> > > Start a
> > > service under system account as inetd and let it handle the user context
> > > switch.
> > Thanks for the tip, I'll do so.
> To be more correct:  Start inetd or xinetd as service, and add rsync to
> /etc/inetd.conf or /etc/xinetd.d/.  Or, if rsync can handle this (I don't
> know), start it directly from cygrunsrv also under SYSTEM account.

I've played with all alternatives, and everything works fine (BTW, it
was a TFTP server).

After some thinking I decided to keep the setup as simple as possible,
and not to use inetd. So, I have the following options:

1. Patch the server not to use setreuid, install it as a service and run
   it as SYSTEM.

2. Install the server as a service, give the SYSTEM user "Create a token
   object" privilege and let the server setreuid to nobody.

3. Install the server as a service to be run as nobody or as a special
   user just for this service (say, "tftp").

I am personally inclined to use (1). It seems to me that (2) brings more
risk than security, and that (3) differs not much from (1). What do you
think? Do you think (1) is the best solution? Which one would you
prefer?

Thanks in advance,
Baurjan.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/