On Apr 28, 2004 at 01:03, Zeus Ng <zeus.ng(a)isquare.com.au> wrote:
In the main.c file, there is a comment saying that
'we need to open fifo
before do_suid() and start the fifo server after all the socket are
initialized, to inherit them'. I'm wondering why SER has to do it like that.
You are using unstable (cvs HEAD branch). Since this is a moving target,
you should send mails realted to it on serdev(a)lists.iptel.org. serusers is
about stable.
Can't SER lower its privileges first (do_suid), then open fifo and start the
fifo server? The reason being that I want to run SER with an unprivileged
user. With the current implementation, the fifo file will be created by root
which is not accessible to anyone else. Unless I change the fifo_mode to
0666, which I don't want to, I can't make SER more secure and yet
accessible.
Check out the latest cvs (from yesterday).
Paste from the NEWS file:
sock_mode = <permissions> (e.g. sock_mode=0600: default value = 0660)
ser unix sockets and fifo will be created with this permissions
(old name fifo_mode is still supported, but deprecated)
sock_user = username|"uid"
sock_group = groupname|"gid"
change the owner and/or group of the ser unix sockets or fifo
Short example config snippet:
sock_mode=0600 # ser socket/fifo mode
sock_user="www-data" # ser socket/fifo owner
sock_group=nogroup
user=nobody # ser user (ser will suid to it)
sock_* is synonim to fifo_* (e.g. sock_mode=0600 will be applied both to fifo
and unix sockets).
Andrei