Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Resent-From: ibr AT ata DOT cs DOT hun DOT edu DOT tr
Resent-Date: Fri, 28 Nov 2003 14:33:46 +0200
Resent-Message-ID: <20031128123346 DOT GE21415 AT ata DOT cs DOT hacettepe DOT edu DOT tr>
Resent-To: cygwin AT cygwin DOT com
Date: Fri, 28 Nov 2003 14:06:29 +0200
From: Baurjan Ismagulov <ibr AT ata DOT cs DOT hun DOT edu DOT tr>
To: cygwin AT cygwin DOT com
Subject: Re: setreuid
Message-ID: <20031128120627.GC21415@ata.cs.hacettepe.edu.tr>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20031015105210 DOT GF18774 AT ata DOT cs DOT hacettepe DOT edu DOT tr> <20031016103723 DOT GA5542 AT ata DOT cs DOT hacettepe DOT edu DOT tr> <20031016125317 DOT GB5542 AT ata DOT cs DOT hacettepe DOT edu DOT tr> <20031016142337 DOT GC5542 AT ata DOT cs DOT hacettepe DOT edu DOT tr> <20031017135231 DOT GA12904 AT ata DOT cs DOT hacettepe DOT edu DOT tr> <20031017135203 DOT GU25076 AT cygbert DOT vinschen DOT de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20031017135203.GU25076@cygbert.vinschen.de>
User-Agent: Mutt/1.5.4i

Hello,

hope you still remember this thread :)
(http://cygwin.com/ml/cygwin/2003-10/msg00914.html).

On Fri, Oct 17, 2003 at 03:52:03PM +0200, Corinna Vinschen wrote:
> > > Start a
> > > service under system account as inetd and let it handle the user context
> > > switch.
> > Thanks for the tip, I'll do so.
> To be more correct:  Start inetd or xinetd as service, and add rsync to
> /etc/inetd.conf or /etc/xinetd.d/.  Or, if rsync can handle this (I don't
> know), start it directly from cygrunsrv also under SYSTEM account.

I've played with all alternatives, and everything works fine (BTW, it
was a TFTP server).

After some thinking I decided to keep the setup as simple as possible,
and not to use inetd. So, I have the following options:

1. Patch the server not to use setreuid, install it as a service and run
   it as SYSTEM.

2. Install the server as a service, give the SYSTEM user "Create a token
   object" privilege and let the server setreuid to nobody.

3. Install the server as a service to be run as nobody or as a special
   user just for this service (say, "tftp").

I am personally inclined to use (1). It seems to me that (2) brings more
risk than security, and that (3) differs not much from (1). What do you
think? Do you think (1) is the best solution? Which one would you
prefer?

Thanks in advance,
Baurjan.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/