Dropping privileges

[Andrea Crotti]

My program now sadly runs only as root, but actually I think that the
only thing that really needs root access is the creation of a tunnel
device.

Looking around I understood that I could use setuid() to drop the
privileges after critical part is over, but to what user?

I think this is the reason why mysql/openldap/etc creates new user, so
they can drop down to it when they're done with critical part.

But where exactly should this user cretion mechanism be set?
Still from the C program (removing it when exiting)?
Thanks

 

[Nobody]

My program now sadly runs only as root, but actually I think that the
only thing that really needs root access is the creation of a tunnel
device.

Looking around I understood that I could use setuid() to drop the
privileges after critical part is over, but to what user?

I think this is the reason why mysql/openldap/etc creates new user, so
they can drop down to it when they're done with critical part.

But where exactly should this user cretion mechanism be set?
Still from the C program (removing it when exiting)?

First, you would do better to ask on comp.unix.programmer.

You definitely shouldn't be creating and deleting accounts from within
your program. Nowadays, such tasks are far more complex than they might
appear. You can't assume that it's just a matter of adding a line to
/etc/passwd, due to the use of NIS/LDAP/etc, or even integration with
Windows domains. On Linux, creation of accounts to run daemons is normally
handled by the package's installation script, and is specific to a given
distribution.

One issue with dropping down to an existing account such as daemon or adm
is that the account may be a member of certain privileged groups, e.g. bin.