Subject: Re: Miscellaneous OS features: capabilities
To: None <current-users@NetBSD.org>
From: David Young <email@example.com>
Date: 08/11/2003 01:02:46
On Mon, Aug 11, 2003 at 04:15:05AM +0000, Nate Hill wrote:
> On Mon August 11 2003 02:14, David Young wrote:
> > On Fri, Aug 08, 2003 at 07:39:22AM -0400, Sporleder, Matthew wrote:
> > > Speaking of de-rooting-
> > > Could you just add a /dev/ports/ directory or something along
> > > those lines to then chown specific ports to any user you wanted:
> > > <daemon>d, for example?
> > Take it a step further. Grant the daemon *process* only the
> > privileges it needs, using the imaginary "cap" command.
> > CAP(1) NetBSD Reference Manual
> > CAP(1)
> > NAME
> > cap - an imaginary program which runs a command with
> > restricted privileges
> This could be done quite easily. A nice front-end to a set-uid
> systrace is needed.
No doubt, but it is not a little backward to use a set-uid program to
run a command with least privileges? =)
David Young OJC Technologies
firstname.lastname@example.org Urbana, IL * (217) 278-3933