[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [E-devel] Priviledged Execution



On Tue, 7 Nov 2006 09:51:31 -0600 Brian Mattern <brian.mattern@gmail.com>
babbled:

> On Mon, Nov 06, 2006 at 03:50:32PM -0500, Michael Jennings wrote:
> > On Monday, 06 November 2006, at 16:30:16 (+0100),
> > Essien Ita Essien wrote:
> > 
> > > I'm just putting out feelers for ideas (a.k.a. best practices if
> > > such exist), for how to implement Priviledged Execution for
> > > Entrance_Edit_GUI
> > 
> > Best practice:  Don't do it.
> > 
> > > The problem is that, the config file is /etc/entrance_config.cfg,
> > > which is protected file, but all users *can* run entrance_edit_gui
> > > for now.
> > 
> > There is no point letting any user run entrance_edit_gui.  Only root
> > should be able to run it.
> > 
> > > Whats the best practice for implementing stuff like this in a GUI
> > > environment?
> > 
> > Don't.  It's too hard to audit the code.
> 
> He still needs a solution to his problem. Namely "How do I let people
> configure entrance from a gui without having to touch the command line".
> 
> One possibility is to have an "entrance" group that has write
> permissions to the config file. Then just require the users that want to
> run the config editor to be part of this group.

personally i'd just leave configuring entrance to doing it FROM entrance (so
you can also see the changes live as you edit!) like most programs offer a
config dialog FROM the program. i'd maybe let the gui run as either root OR as
a "entrance" user id (for example) and a helper suid root tool copies the config
file from a tmp spot to the real one (and maybe tells the real entrance to
reload it, checks that your user is allowed to configure entrance - for
example the entrance user would be allowed). keep the suid root helper really
simple and small so it doesn't have security holes (e17' has 2 suid root helpers
itself. one for cpufreq module and one for enlightenment_sys for shutdown,
reboot, suspend etc.).

> rephorm.
> 
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> enlightenment-devel mailing list
> enlightenment-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
> 


-- 
------------- Codito, ergo sum - "I code, therefore I am" --------------
The Rasterman (Carsten Haitzler)    raster@rasterman.com
裸好多
Tokyo, Japan (東京 日本)