qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Stitcher <astitc...@redhat.com>
Subject Re: Access to qpidd original arg list from {platform specific}QpiddBroker.cpp ?
Date Thu, 01 Apr 2010 14:33:22 GMT
On Tue, 2010-03-30 at 11:21 -0500, Kerry Bonin wrote:
> Hello, and thanks for the comments!
> 
> First, thank you Andrew for GetCommandLine() - 20 something years on
> Windows, and I don't remember seeing that one before, certainly made this
> simpler.
> 
> On the subject of the command line in general for a service - I agree that
> under most normal use a config file should be used, I just wanted to make
> sure the command line was usable...
> 
> On the security of self-installing services - if the service is doing much
> more than installing itself, especially if it contains baked in credentials,
> ect., that would be a very bad thing.  What I've done is essentially the
> equivalent of sc create|start|stop|delete wrap as a convenience function,
> nothing more, and the calls execute with the same privilege level a user has
> available to them at the command line.

ISTR that the issue is related to UAC, but I admit I can't quite see
what the issue could be.

One security related issue I'd suggest is that if running qpid as a
service then we should run as an unprivileged user though with network
access. qpidd only shuffles bits around a network so doesn't seem to
need elevated privileges.

I'm not sure how this fits exactly, but I assume that you'd need to
create a new user account on installation and run the service using it.
This would obviously require admin privileges.

Andrew



---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org


Mime
View raw message