[gridengine dev] [DRAFT PATCH] Enhancement: exempt certain programs from execd control
Mark Dixon
m.c.dixon at leeds.ac.uk
Tue Nov 15 09:15:37 UTC 2011
On Fri, 11 Nov 2011, William Hay wrote:
...
>> Sorry for putting words in your mouth... although I think that after a
>> s/SUID root/CAP_SETGID/, the problems in following paragraph are still at
>> least 66% true:
>>
>>>> However, I really don't like the idea of using SUID root binaries where
>>>> they're not necessary: they're a pain to make sure they do the right
>>>> thing, a pain to install correctly, and they make people suspicious.
>> ...
> Agreed although exploiting CAP_SETGID is a bit harder.
>>
>> How widespread is CAP_SETGID support on platforms people run GE on?
>> Although my patch targets Linux, it's extensible to other platforms.
> Not very I think. It only got as far as a draft. The nearest Solaris
> equivalent appears to be privileges which AFAICT lacks a CAP_SETGID
> equivalent.
...
Cheers William. Does this mean you no longer object to the approach taken
by my patch, or do you have other concerns?
Best wishes,
Mark
--
-----------------------------------------------------------------
Mark Dixon Email : m.c.dixon at leeds.ac.uk
HPC/Grid Systems Support Tel (int): 35429
Information Systems Services Tel (ext): +44(0)113 343 5429
University of Leeds, LS2 9JT, UK
-----------------------------------------------------------------
More information about the dev
mailing list