[OpenIndiana-discuss] Solaris privileges and seteuid()

[James Relph]

>> 
> I haven't wrapped my head around what Gea tried to describe, so I
> can't really comment on that but afaict it' wooly thinking (tm).
> 

Shoop!


> However, I think I was able to solve the problem described here (it
> seems seteuid(0) is not enough if your effective gid is an ephemeral
> one, after setegid(0) too the afpd process can call chown() at will),
> which would mean the problem (at least for Netatalk) is solved: all
> files and dirs created by Netatalk processes by an AD user have their
> owen/and group set to uid and gid of the AD user, not nobody.

That's interesting, although it'll give me a headache trying to work out which method would be best (definitely pluses and minuses to the built-in method, and to SAMBA).  The ephemeral mappings are the bit that is somewhat confusing.  From what I've been reading, it sounded like what it does is to actually store the SID on-disk and convert that on the fly to an ephemeral UID.  That might mean that the non-persistence of the ephemeral IDs across reboots doesn't matter (as the SID itself is still stored), but it's hard working out from the documentation exactly what's going on.

James.