Bill Studenmund wrote:

>On Fri, Jan 13, 2006 at 11:16:43AM -0800, Garrett D'Amore wrote:
>  
>
>>Elad Efrat wrote:
>>
>>    
>>
>>>Garrett D'Amore wrote:
>>>
>>>      
>>>
>>>>These checks maybe should be enabled by yet another sysctl, in case some
>>>>site has some special reason not to enforce them.
>>>>        
>>>>
>>>It seems like this is getting way too bloated. The original request was
>>>for a knob to be used on development machines; I'm not sure who would
>>>want to enable such a feature on a production box.
>>>
>>>The suggestion of setting a directory and owner via sysctl seems enough
>>>for me; root should take care of anything around it.
>>> 
>>>
>>>      
>>>
>>Here's the scenario I see, and it should be thought out:
>>    
>>
>
>I agree that it'd be nice to support the scenario you describe. However 
>let's do this in steps. I think that adding a way to enable set-id cores 
>is a good first step. Also, I don't think the proposed sysctls will impare 
>supporting the scenario you describe, so let's add it/them now. :-)
>  
>
I agree that stepwise is a reasonable idea, but if we do that, we need
to "in the interim" describe the limitations/considerations in the man
page.  For my 2 cents, its easier to just get add an extra sysctl.

Btw, we might want kern.defcorename and a new kern.defsuidcorename
sysctl, the latter can use a full path name, without imparing ordinary
behavior that we are all used to for non-suid processes.

    -- Garrett

>Also, we have the kern.defcorename sysctl now. If we want things in a 
>specific directory, why not just put a full path in there? That way we 
>wouldn't need a new sysctl. :-)
>
>Take care,
>
>Bill
>  
>


-- 
Garrett D'Amore                          http://www.tadpolecomputer.com/
Sr. Staff Engineer          Extending the Power of 64-bit UNIX Computing
Tadpole Computer, Inc.                             Phone: (951) 325-2134