I'll go much further. There are a large number of daemons which, given
access to one or two normally root priv'ed calls, could be made
unprivileged. We can't build a thousand pseudodevices for this.

I'd recommend that we build a more generic mechanism that allows us to
delegate privilege to daemons like ntp for just certain calls.

Indeed, sometimes it would be nice to *remove* normal privs. For
example, many daemons are often overflow exploited by calling
exec, but normally would never call exec themselves. They could give
up the ability to call exec.

"Jaromír" Dolecek <jdolecek@netbsd.org> writes:
> This is nice thing, and I like one less daemon would be able to
> run without root privs.
> 
> However, I'm a bit converned whether this really needs to be
> implemented this way. I'd prolly liked much more if the device
> would be used as way to control who can call ntp_adjtime() only - like,
> if ntp_adjtime() would be called by non-root, it would allow the
> change if the calling process has the clockctl device open for
> write. Simple, and no read/writes on critical path. This would also
> simplify the userland stubs a lot (they'd only need to open/close
> the device file before calling the syscall, no other special handling
> would be necessary).

--
Perry E. Metzger		perry@wasabisystems.com
--
NetBSD Development, Support & CDs. http://www.wasabisystems.com/