[gridengine dev] [DRAFT PATCH] Enhancement: exempt certain programs from execd control
William Hay
w.hay at ucl.ac.uk
Fri Nov 11 14:19:55 UTC 2011
On 11 November 2011 13:27, Mark Dixon <m.c.dixon at leeds.ac.uk> wrote:
> On Fri, 11 Nov 2011, William Hay wrote:
> ...
>> The reason I said privileges was that I was thinking of the
>> (draft)posix capabilities which has the nice CAP_SETGID functionality
>> on Linux that gives a far lower level of privilege. Recent linux
>> versions can associate capabilities with files so on Linux you could
>> grant a far lower level of privilege to qrsh to enable it to drop a
>> group.
> ...
>
> Hi William,
>
> Sorry for putting words in your mouth... although I think that after a
> s/SUID root/CAP_SETGID/, the problems in following paragraph are still at
> least 66% true:
>
>>> However, I really don't like the idea of using SUID root binaries where
>>> they're not necessary: they're a pain to make sure they do the right
>>> thing, a pain to install correctly, and they make people suspicious.
> ...
Agreed although exploiting CAP_SETGID is a bit harder.
>
> How widespread is CAP_SETGID support on platforms people run GE on?
> Although my patch targets Linux, it's extensible to other platforms.
Not very I think. It only got as far as a draft. The nearest Solaris
equivalent appears to be privileges which AFAICT lacks a CAP_SETGID
equivalent.
>
> Cheers,
>
> Mark
> --
> -----------------------------------------------------------------
> Mark Dixon Email : m.c.dixon at leeds.ac.uk
> HPC/Grid Systems Support Tel (int): 35429
> Information Systems Services Tel (ext): +44(0)113 343 5429
> University of Leeds, LS2 9JT, UK
> -----------------------------------------------------------------
>
>
>
More information about the dev
mailing list