Re: [Ipsec-tools-devel] Configuration reload AND privsep

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Thursday, February 24, 2005, 2:29:01 PM, you wrote:

Just à quick word about privsep and config reload together.

> But if tomorrow someone wants to be able to change "everything in the
> config and just go on", including the privsep switch, I'll start by
> asking him if he really wants to changes this switch twice a day !

Since the beginning of this discussion, I've had a small idea, maybe
good, maybe not.  Couldn't we pass the privsep basic flags (user id and
group id) on the command line only (and downwards to the unpriv child) ?
Could that allow us to move the config parsing code into the
unprivileged instance ?  And, from that point of view, switching from
non-privsep to privsep couldn't be done without a restat, which is quite
logical, anyways. 

Thoughts ?

Fred
-- 
HTML's a cheap whore. Treating her with respect is possible, and even
preferable, because once upon a time she was a beautiful and virginal
format, but you shouldn't expect too much of her at this point.
                                     (Mark 'Kamikaze' Hughes in the SDM)