|
(
This question具有相同的标题,但问题正文以脚本的角度要求它,例如su -c,不要欺骗它)
我有一个Qt GUI应用程序,需要根据用户输入在/ etc中执行一些文件操作.一个选项可能会使用带有sudo的system(),但即使这样也需要在某些时候弄乱sudoers文件.我也不想做系统()加脚本黑客修改文件,但正确的文件操作.
以编程方式提升我的应用程序权限以执行此操作的最佳方法是什么?
编辑:作为奖励,它会很好,如果它也可以在Maemo / Meego /其他手持设备上工作(afaik PolicyKit在那里不可用..)
解决方法
我会写一个单独的程序.这个
philosophy的内容.基本上 – 编写一个简单的程序,完全满足您的需要,并使用文件系统上的文件权限控制其行为.主要是,
Do as little as possible in setuid programs.
A setuid program must operate in a
very dangerous environment: a user is
under complete control of its fds,
args,environ,cwd,tty,rlimits,
timers,signals,and more. Even worse,
the list of controlled items varies
from one vendor’s UNIX to the next,so
it is very difficult to write portable
code that cleans up everything.
Of the twenty most recent sendmail
security holes,eleven worked only
because the entire sendmail system is
setuid.
Only one qmail program is setuid:
qmail-queue. Its only purpose is to
add a new mail message to the outgoing
queue.
和,
Do as little as possible as root.
The entire sendmail system runs as root,so there’s no way that its mistakes can be caught by the operating system’s built-in protections. In contrast,only two qmail programs,qmail-start and qmail-lspawn,run as root.
(编辑:李大同)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
