On Mon, Mar 17, 2008 at 11:53:38PM -0400, der Mouse wrote: > I think Brian's note on this subject is very good; it clearly lays out > a bunch of things I'd been thinking but not quite clearly enough to put > into an email. > > Elad replies to Brian, > > >> [I]t's not clear the sec model, as currently implemented, provides > >> enough richness in the authentication and authorization tokens to > >> allow a sec policy to be written [to properly allow the cluster of > >> operations that constitute a reboot]. > > Assuming you could do that, how would you make sure that a user > > granted the ability to reboot the system does not take advantage of > > this ability to let the reboot program kill some processes, and then > > SIGKILL it? > > Exactly. That's the weakness I see (Brian too, apparently). I don't see why this isn't solved by moving this work to init (not the kernel, please). The secmodel allows the user to signal init, init orchestrates the graceful shutdown (either internally by moving the code, or possibly just by spawning a reboot(8) running with real root privs). The secmodel also allows the user to call reboot(2) for an ungraceful shutdown, perhaps if init isn't making progress fast enough. These may well be separate rights (graceful vs ungraceful shutdowns). A previous post talked about one possible way of signalling init and some issues with it, but there are plenty of good options. -- Dan.
Description: PGP signature