Starting daemons on a trusted system
If your system is configured in ``High'' or ``Improved''
(C2) security mode, all processes must be stamped with an
LUID (login user ID) in order to run properly.
If you add any scripts that call a setuid or setgid
(set user ID or group ID) program to the
/etc/rc structure, you must remember to set the LUID.
This ensures that the system accurately records who does what,
even if the effective identity of the user changes.
An attempt to run a setuid or setgid
program without an LUID fails with the error message:
If the program does not change the ID of the process,
this procedure is unnecessary.
To set the LUID, use the
su username -c "command"
where username is the name of the user or account and command is the complete command that you want to execute.
For example, the deliver daemon checks periodically for undelivered mail. The daemon is in the file /etc/rc2.d/S86mmdf.
/bin/su mmdf -c "/usr/mmdf/bin/deliver -b"This command sets the LUID to mmdf, which is the LUID used to administer the mail routing system. The command is run automatically when the system goes into multiuser mode.