tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: /sbin/reboot and secmodel

Steven M. Bellovin wrote:

What occurs to me is to use secmodel to restrict or grant access to the
user-level program that does the shutdown -- that would avoid moving
too much goo to the kernel.

One thing that bothers me with granting access to the program is a
scenario where someone with privilege to reboot is trying to leverage
that privilege to kill arbitrary (or, given the way the killing is done,
specific) processes -- and stopping the program right before reboot(2)
is called.

As long as these phases of the reboot process are done in userland, I
think we're "reboot" implies "arbitrary process killing". Not sure how
much of a *real* issue that is :) but it's there.

Another thing to remember is that the secmodel in question works on
authorizing specific users -- not programs -- to have special privilege,
so it's up to the Emmanuel to decide whether that solution would work
for his needs or not.


Home | Main Index | Thread Index | Old Index