2012/8/21 Gordon Ross <[email protected]>: > On Fri, Aug 17, 2012 at 5:44 AM, Frank Lahm <[email protected]> wrote: >> 2012/8/17 James Relph <[email protected]>: > [...] >>> >>> Thanks very much for that confirmation, really doesn't seem obvious in a >>> lot of the documentation! I don't have a system handy to test today (will >>> do over the weekend) but I'll try and get a better idea of how that works >>> over the weekend (in particular after a reboot, what UID/GID will a >>> file/folder show (ie. with ls) until the same user logs in again and the >>> new ephemeral mapping is created?). >> >> ephemeral ids break setuid/seteuid because they are not static on a >> _running_ system. They may change anytime. Thus any POSIX compliant >> application relying on these functions for privileges can not use >> them. > > Really?
Yes. By using `getent group AD-GROUP` an existing user uid mapping (which a process was using with seteuid at that time) changed which badly affected that process. > Where is your evidence? I don't care proving this. Imo the lesson to learn is that as there's no written guarantee of id mapping stability I will not bet my horse on this. > I don't think I've ever seen one > change except after a reboot. I bet you (and nobody else) has ever done serious testing using the mapped ids in UNIX processes with POSIX calls like seteuid. -f _______________________________________________ OpenIndiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
