[gridengine dev] [DRAFT PATCH] Enhancement: exempt certain programs from execd control
Mark Dixon
m.c.dixon at leeds.ac.uk
Fri Nov 11 13:27:20 UTC 2011
On Fri, 11 Nov 2011, William Hay wrote:
...
> The reason I said privileges was that I was thinking of the
> (draft)posix capabilities which has the nice CAP_SETGID functionality
> on Linux that gives a far lower level of privilege. Recent linux
> versions can associate capabilities with files so on Linux you could
> grant a far lower level of privilege to qrsh to enable it to drop a
> group.
...
Hi William,
Sorry for putting words in your mouth... although I think that after a
s/SUID root/CAP_SETGID/, the problems in following paragraph are still at
least 66% true:
>> However, I really don't like the idea of using SUID root binaries where
>> they're not necessary: they're a pain to make sure they do the right
>> thing, a pain to install correctly, and they make people suspicious.
...
How widespread is CAP_SETGID support on platforms people run GE on?
Although my patch targets Linux, it's extensible to other platforms.
Cheers,
Mark
--
-----------------------------------------------------------------
Mark Dixon Email : m.c.dixon at leeds.ac.uk
HPC/Grid Systems Support Tel (int): 35429
Information Systems Services Tel (ext): +44(0)113 343 5429
University of Leeds, LS2 9JT, UK
-----------------------------------------------------------------
More information about the dev
mailing list