Replace uid==0 tests with capability checks

Corinna Vinschen vinschen at redhat.com
Wed Mar 11 19:26:39 EST 2009


Hi,

This time with it's own subject:

What's still missing in OpenSSH is code which abstracts the idea of the
root user to the idea of a user with certain privileges.  At least
Linux/Solaris/Cygwin/Windows allow to specify finer grained user rights,
so that certain types of tasks are not necessarily run by the root user.
In case of Cygwin/Windows there isn't even a root user, just users with
certain privileges.  Given that, the hardcoded checks for uid == 0 don't
make sense or rather, are too bulky in a couple of environments.  To
reiterate an idea I'm proposing for quite some time now:

  Instead of checks as
  
    if (getuid() == 0)
      do_foo_bar ();
    else
      EEEEK!
     
   openssh should have checks along the lines of

    if (uid_has_capability (getuid (), CAP_foo_bar))
      do_foo_bar ();
    else
      EEEEK!

The function uid_has_capability() would be quite simple on systems
which don't have fine-grained user rights:

    int
    uid_has_capability (uid_t uid, int capability)
    {
      return uid == 0;
    }

but could be much more elaborate on other platforms like Linux, Solaris,
or Cygwin.  And, again, I'm willing to help with this stuff in terms of
coding.


Corinna

-- 
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat


More information about the openssh-unix-dev mailing list