• Immutable Page
  • Info
  • Attachments


Impersonation functionality

Impersonation is a feature that allows for temporary user switches at run time. UNIX have a similar feature - sutuid (http://en.wikipedia.org/wiki/Setuid), but it requires certain file system, which support "chmod +s <file>" command and all programs which use it, must have accordant flag (+s).

Also, setuid-ed program can gain any privilege even without asking password. Of course, it is a security risk and it will be good to have another mechanism for changing user privileges - and impersonation is a good way to do it. Even we can emulate impersonation with "su USER" command, it is not possible for some environments - like webservers CGI scripts.

There is a good description about implementing impersonation in FreeBSD: http://www.makefile.com/files/uimp.pdf It could be taken for the basis for adding impersonation feature to the kernel.

Difficulty: 7

Contact: Alex (dot) Slesarev (at) gmail.com


Tell others about this page:

last edited 2007-11-02 04:59:14 by AlexSlesarev