KernelNewbies:

Impersonation functionality

Impersonation is a feature that allows for temporary user switches at run time. UNIX have a similar feature - sutuid (http://en.wikipedia.org/wiki/Setuid), but it requires certain file system, which support "chmod +s <file>" command and all programs which use it, must have accordant flag (+s).

Also, setuid-ed program can gain any privilege even without asking password. Of course, it is a security risk and it will be good to have another mechanism for changing user privileges - and impersonation is a good way to do it. Even we can emulate impersonation with "su USER" command, it is not possible for some environments - like webservers CGI scripts.

There is a good description about implementing impersonation in FreeBSD: http://www.makefile.com/files/uimp.pdf It could be taken for the basis for adding impersonation feature to the kernel.

Difficulty: 7

Contact: Alex (dot) Slesarev (at) gmail.com


CategoryKernelProjects

KernelNewbies: KernelProjects/Impersonation (last edited 2017-12-30 01:29:53 by localhost)