From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/5221
Path: news.gmane.org!not-for-mail
From: Natanael Copa <ncopa@alpinelinux.org>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: musl 1.0.x branch
Date: Tue, 10 Jun 2014 23:25:06 +0200
Message-ID: <20140610232506.7f9558c2@ncopa-laptop>
References: <20140606175617.GA3914@brightrain.aerifal.cx>
	<20140609112352.1e7ad51e@ncopa-desktop.alpinelinux.org>
	<20140609200830.GK179@brightrain.aerifal.cx>
	<20140610094351.GE20596@example.net>
	<20140610160356.GL179@brightrain.aerifal.cx>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1402433414 25436 80.91.229.3 (10 Jun 2014 20:50:14 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 10 Jun 2014 20:50:14 +0000 (UTC)
Cc: musl@lists.openwall.com
To: Rich Felker <dalias@libc.org>
Original-X-From: musl-return-5226-gllmg-musl=m.gmane.org@lists.openwall.com Tue Jun 10 22:50:09 2014
Return-path: <musl-return-5226-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@plane.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-5226-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1WuSzg-0005Gx-2x
	for gllmg-musl@plane.gmane.org; Tue, 10 Jun 2014 22:50:08 +0200
Original-Received: (qmail 7901 invoked by uid 550); 10 Jun 2014 20:50:07 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 7893 invoked from network); 10 Jun 2014 20:50:07 -0000
In-Reply-To: <20140610160356.GL179@brightrain.aerifal.cx>
X-Mailer: Claws Mail 3.10.0 (GTK+ 2.24.23; x86_64-alpine-linux-musl)
Xref: news.gmane.org gmane.linux.lib.musl.general:5221
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/5221>

On Tue, 10 Jun 2014 12:03:56 -0400
Rich Felker <dalias@libc.org> wrote:

> FYI you can emulate the usefulness of suid, without the danger, by
> having a daemon on a unix socket that you connect to which provides
> the functionality. This is a vastly superior design because there is
> exactly one input channel to the code running with elevated privileges
> (the socket) as opposed to unboundedly many (environment, open fds,
> resource limits, working directory, priority, signal mask and
> dispositions, cpu affinity, ... and whatever else the kernel folks add
> in the future).

You probably knew but this is what OpenBSD does instead of suid + PAM:
http://en.wikipedia.org/wiki/BSD_Authentication

I have always liked this approach.

-nc