Re: [RFC] PCP daemons running as non-root users

To:	Nathan Scott <nathans@xxxxxxxxxx>
Subject:	Re: [RFC] PCP daemons running as non-root users
From:	"Frank Ch. Eigler" <fche@xxxxxxxxxx>
Date:	Wed, 7 Nov 2012 11:17:30 -0500
Cc:	pcp@xxxxxxxxxxx
In-reply-to:	<2143500626.22841066.1352279777043.JavaMail.root@xxxxxxxxxx>
References:	<y0mvcdiu88l.fsf@xxxxxxxx> <2143500626.22841066.1352279777043.JavaMail.root@xxxxxxxxxx>
User-agent:	Mutt/1.4.2.2i

Hi, Nathan -

> [...]  *nod*.  The patch does a full privilege drop just before
> entering the main event processing loop (but after starting all
> agents which run as root unless they choose to not do so).  [...]

Aha.  That is simpler.

One wrinkle in this scheme would be that once we have authenticated
pmcd users, we'll want to make it possible for some of those users to
get native privileges, in the sense of being able to access
/proc/<her-pids>/....  It sounds like such a scheme would require
starting & keeping-open a root-privileged pmda open, which would
apprx. fork / setuid / do-proc-work / die-when-the-client-disconnects.
In the setuid-wrapper alternative, pmcd would manage that generally.

(Doing such user authentication in the first place will require some
auxiliary root process like saslauthd, but that's about the same in
both designs.)

- FChE

<Prev in Thread]	Current Thread	[Next in Thread>
[RFC] PCP daemons running as non-root users, Nathan Scott Re: [RFC] PCP daemons running as non-root users, Frank Ch. Eigler Re: [RFC] PCP daemons running as non-root users, Nathan Scott Re: [RFC] PCP daemons running as non-root users, Frank Ch. Eigler <=

Previous by Date:	Re: [RFC] PCP daemons running as non-root users, Nathan Scott
Next by Date:	Re: NSS/NSPR include file avoidance, Frank Ch. Eigler
Previous by Thread:	Re: [RFC] PCP daemons running as non-root users, Nathan Scott
Next by Thread:	PCP 3.6.9 and the mysql pmda, Chandana De Silva
Indexes:	[Date] [Thread] [Top] [All Lists]