[Intelmq-dev] How to implement process contol (Re: Run modes + Systemd + Crontab)
Sebastian Wagner
wagner at cert.at
Wed Apr 12 12:32:52 CEST 2017
On 02/13/2017 01:59 PM, Bernhard Reiter wrote
> Right now intelmqctl runs as the unix user who has access to
> the configuration files itself. If we want a different unix user (that has
> restricted access to intelmq resources) to change something in particular
> like one value, we have to implement some access control.
> The typical way of implementing this priviledge separation is setuid/setguid
> or sudo/pkexec. Both have drawback if we want only a few selected points to be
> accessed. Setuid priviledges a full process, sudo restricts its configuration
> to a set of parameters for the process.
Systemd also has the possibility to restrict the daemon's privileges,
it's called "portable services".
https://lwn.net/Articles/706025/
So instead of dropping privileges inside intelmq, that could be done by
the process manager too.
Sebastian
--
// Sebastian Wagner <wagner at cert.at> - T: +43 1 50564167201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 854 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20170412/fee15aee/attachment.sig>
More information about the Intelmq-dev
mailing list