Password Login?
- Thread starter Shahid
- Start date
Since I didn't write DA I could be wrong, but the directadmin daemon runs as root, therefore it has permissions to everything.
That is of course exempting users, in which case I believe DA forks to initiate a process at the same user level as the one accessing it for security reasons.
That is of course exempting users, in which case I believe DA forks to initiate a process at the same user level as the one accessing it for security reasons.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Interest response except that directadmin doesn't appear to run as root:
Hmmmm...
Jeff
Code:
[jeff@admin html]$ ps waux | grep directadmin | grep root
root 4295 0.0 0.0 2656 344 ? S Oct17 1:20 /usr/local/directadmin/da-popb4smtp
root 28397 0.0 0.0 3676 676 pts/1 S 22:54 0:00 grep directadmin
[jeff@admin html]$Hmmmm...
Jeff
obody 98161 0.0 0.0 2364 0 ?? IW - 0:00.00 /usr/local/directadmin/directadmin d
nobody 98165 0.0 0.0 2364 0 ?? IW - 0:00.00 /usr/local/directadmin/directadmin d
nobody 98168 0.0 0.0 2364 0 ?? IW - 0:00.00 /usr/local/directadmin/directadmin d
nobody 98169 0.0 0.0 2364 0 ?? IW - 0:00.00 /usr/local/directadmin/directadmin d
Indeed, how did directadmin have permission to access all the root files such ass passwd,master.passwd,etc ?
nobody 98165 0.0 0.0 2364 0 ?? IW - 0:00.00 /usr/local/directadmin/directadmin d
nobody 98168 0.0 0.0 2364 0 ?? IW - 0:00.00 /usr/local/directadmin/directadmin d
nobody 98169 0.0 0.0 2364 0 ?? IW - 0:00.00 /usr/local/directadmin/directadmin d
Indeed, how did directadmin have permission to access all the root files such ass passwd,master.passwd,etc ?
nobaloney
NoBaloney Internet Svcs - In Memoriam †
'Tis a mystery to me; I'll ask DA staff to look at the thread.
Perhaps they'll reply.
Jeff
Perhaps they'll reply.
Jeff
- Joined
- Feb 27, 2003
- Messages
- 559
Quite simple actually..
Programs can drop their privileges from root using setuid(). Once they do that, they can't get root back. We use seteuid() (set effective user id) which does allow the process to get root back.
With that, we ensure that DA is always running with the minimal amount of privilege possible. ie: when reading in a request, the process sits as nobody. Only when root access is required does DA escalate it's privleges to root.
This prevents someone from gaining unauthorized root access through DA.
Mark
Programs can drop their privileges from root using setuid(). Once they do that, they can't get root back. We use seteuid() (set effective user id) which does allow the process to get root back.
With that, we ensure that DA is always running with the minimal amount of privilege possible. ie: when reading in a request, the process sits as nobody. Only when root access is required does DA escalate it's privleges to root.
This prevents someone from gaining unauthorized root access through DA.
Mark
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Cooooool 
Jeff
Jeff