tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: /sbin/reboot and secmodel

On Mon, Mar 17, 2008 at 11:53:38PM -0400, der Mouse wrote:
> I think Brian's note on this subject is very good; it clearly lays out
> a bunch of things I'd been thinking but not quite clearly enough to put
> into an email.
> Elad replies to Brian,
> >> [I]t's not clear the sec model, as currently implemented, provides
> >> enough richness in the authentication and authorization tokens to
> >> allow a sec policy to be written [to properly allow the cluster of
> >> operations that constitute a reboot].
> > Assuming you could do that, how would you make sure that a user
> > granted the ability to reboot the system does not take advantage of
> > this ability to let the reboot program kill some processes, and then
> > SIGKILL it?
> Exactly.  That's the weakness I see (Brian too, apparently).

I don't see why this isn't solved by moving this work to init (not the
kernel, please).  The secmodel allows the user to signal init, init
orchestrates the graceful shutdown (either internally by moving the
code, or possibly just by spawning a reboot(8) running with real root

The secmodel also allows the user to call reboot(2) for an ungraceful
shutdown, perhaps if init isn't making progress fast enough. These may
well be separate rights (graceful vs ungraceful shutdowns).

A previous post talked about one possible way of signalling init and
some issues with it, but there are plenty of good options.


Attachment: pgps0TtNexBHG.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index