Subject: Re: Getting rid of /dev/veriexec
To: None <tech-kern@netbsd.org>
From: None <joerg@britannica.bec.de>
List: tech-kern
Date: 12/02/2005 16:27:31
On Fri, Dec 02, 2005 at 03:04:31PM +0200, Elad Efrat wrote:
>
> 1. An admin can chown a device to give a user a special role -- true,
> but Veriexec does an explicit suser() (and there's no, at the moment,
> intention to change that). This should be addressed by capabilities,
> if any.
I don't agree with Nathan on the use of sysctl, but removing the device
as entry point is IMO a very bad thing for Veriexec. Consider the need
for the device a security feature for Veriexec, but a bug e.g. for ps /
netstat etc.
Joerg