From: Pawel J. D. <ni...@ga...> - 2003-08-12 12:59:17
|
On Mon, Aug 11, 2003 at 04:11:35AM +0200, Michal Belczyk wrote: +> Hello, +> i'd like to share my opinion about the last change made to the screen.cb +> policy. First of all, IMHO the primary target of this policy was to have +> a non-root screen process(es) instead of one root-owned and one +> user-owned. To make it work "properly" the policy allowed screen to +> chown(2) ttys and to open(2) utmp file. Reading system passwords wasn't +> obviously possible. +> After the last commit, which was faking geteuid(2) it all changed. +> For "some" users it works as it was without a policy limiting screen, +> that is root-owned/user-owned pair of processes, and for "some other" +> users it doesn't work at all: +>=20 +> user a: +> devel% screen +> getpwuid() can't identify your account! +>=20 +> user b: +> devel% screen +> devel% ps aux |grep screen +> root 345 [...] 3:52 0:20,80 screen +> b 344 [...] 3:52 0:00,02 screen +>=20 +> Is this what we wanted ? ;) +> It doesn't make any sense for me - it looks like we've just cheated cerb +> instead of screen... hmm... or i miss something. +>=20 +> The only difference between those two accounts is that 'b' has it's own +> ~/.login_conf and 'a' does not ;) I've commited a fix. Thanks! --=20 Pawel Jakub Dawidek pa...@da... UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net |