On 02/13/2017 01:59 PM, Bernhard Reiter wrote
Right now intelmqctl runs as the unix user who has access to the configuration files itself. If we want a different unix user (that has restricted access to intelmq resources) to change something in particular like one value, we have to implement some access control. The typical way of implementing this priviledge separation is setuid/setguid or sudo/pkexec. Both have drawback if we want only a few selected points to be accessed. Setuid priviledges a full process, sudo restricts its configuration to a set of parameters for the process.
Systemd also has the possibility to restrict the daemon's privileges, it's called "portable services". https://lwn.net/Articles/706025/ So instead of dropping privileges inside intelmq, that could be done by the process manager too.
Sebastian