Subject: Re: security/10206 - proposed solution (concept)
To: None <elad@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Bernd Ernesti <netbsd@lists.veego.de>
List: netbsd-bugs
Date: 08/17/2005 06:36:03
The following reply was made to PR bin/10206; it has been noted by GNATS.

From: Bernd Ernesti <netbsd@lists.veego.de>
To: Elad Efrat <elad@NetBSD.org>
Cc: tech-security@NetBSD.org, gnats-bugs@NetBSD.org
Subject: Re: security/10206 - proposed solution (concept)
Date: Wed, 17 Aug 2005 08:35:28 +0200

 On Wed, Aug 17, 2005 at 06:58:02AM +0300, Elad Efrat wrote:
 > Alan Barrett wrote:
 > 
 > > Actually, the prohibited/optional/required status could just be implied
 > > by the numeric ranges, but then you'd have to use "0 means 0", not "0
 > > means infinity".  For example, "upper: 0" could mean "prohibited";
 > > "upper: 1-*" could mean "1 or more required"; "upper: 1-3" could mean
 > > "at least 1, but no more than 3"; "upper: 0-*" could mean "any number,
 > > zero or more".
 > 
 > Yes, but then we'd lose a bit of the readability. This is hardly
 > time-critical code, and in fact should be very clear to the admin as to
 > what the configuration means.
 
 Thats what a manpage is for.
 
 > I can change the range syntax, though.
 
 I like the idea from Alan, so you have more flexibility to use a finer
 policy.
 And don't forget to use sane defaults if that files doesn't exist or
 defines not all entries.
 
 Bernd