Re: Solaris privileges to use pinger w/o setuid-root

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 26 Jan 2008 13:16:14 +1300

Frank Fegert wrote:
> On Fri, Jan 25, 2008 at 09:25:24AM +1300, Amos Jeffries wrote:
>>> i did a quick hack and patched Solaris privileges support into pinger.c
>>> from squid-2.6.STABLE18. This should allow to run pinger w/o setuid-root,
>>> while still being able to access ICMP-sockets. The $SQUID_USER gets the
>>> additional PRIV_NET_ICMPACCESS rights via:
>>> /usr/sbin/usermod -K defaultpriv=basic,net_icmpaccess $SQUID_USER
>>>
>>> While probably not so interesting for the general public, could someone
>>> with a bit more squid-code knowledge than me take a look at the patch?
>>> I just want to make sure i didn't inadvertedly break something else ;-)
>> Interesting and useful. Thank you.
>
> Thank you for your fast reply. I should add that i didn't invent the
> wheel here ;-) There is a quite nice documentation on the subject:
> http://docs.sun.com/app/docs/doc/816-4863/chap1-intro-net-01
> so credits should go towards Sun ;-)

Ah, in which case we have to ask: Is the code copyright available under
GPL v2 and later Lisences?

The copyright issues have been getting a bit of cleanup lately and we
don't want to go backwards if possible.

>
>> Seeing as the new code is almost all in one block with a specific purpose.
>> I'd create a new function pingerSetPrivs() private to the pinger to do it
>> and call it just before pingerOpen() instead.
>
> Good idea! I'll fix up a function today.
>
> Thanks,
>
> Frank

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Fri Jan 25 2008 - 17:16:15 MST

This archive was generated by hypermail pre-2.1.9 : Wed Jan 30 2008 - 12:00:09 MST