Janko Mivšek wrote:
> Only unsolved question remains how to add a server on a new IP or
> port, without restarting the whole image as root? I need to temporary
> login the image as root then logout. Can I do that through libc too? 
well... if after you dropped privs it was possible to regain them for you,
it would be possible to regain them for an attacker with code executiong :)
so, if we are doing things right, no, there's no way to become root after
you dropped privs.

Now, if you are careful with your base URL, another option is, as Igor
suggested, to use, for example, iptables to redirect port 80 to a higher
port, and make squeak listen on a high port. For this you'll need an
external helper program (setuid root), that lets you change in runtime
the firewall rules from squeak.

Another option is to use a different external helper program, running
as root, that will open the sockets for your non-root process, and then
pass them around to the other process. In most OSes there's a way
to pass FDs from one process to the other, as far as I remember, in
Unix that's through a unix socket.

If you are interested in any of this two options, let me know, I'll try to
find out the right magic.

    richie