A package may contain multiple executables, each of them triggered in different times by the DSM. For example, CGIs will be spawn by the cgi daemon, and control scripts (preinst, start_stop_status...) will be called by package center. Our framework uses the owner user and group of the executable to decide what user privilege to grant.

Suppose the owner user is ```${package}:

  • If the owner group is system, then use setresuid(-1, ${package}, -1), which gives the process ability to change back toroot```.
  • Otherwise, use setresuid(${package}, ${package}, ${package}), drop its privilege.

A Summory of file owner user / group and granted privilege is shown below:

run-as owner euid ruid
package ${package}:${package} ${package} ${package}
system ${package}:system ${package} 0
root root:root 0 0