tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: /sbin/reboot and secmodel

der Mouse wrote:
Assuming you could do that, how would you make sure that a user
granted the ability to reboot the system does not take advantage of
this ability to let the reboot program kill some processes, and
then SIGKILL it?
Exactly.  That's the weakness I see (Brian too, apparently).
I don't see why this isn't solved by moving this work to init (not
the kernel, please).

In this particular instance, it is.  But this is not going to be the
last time some multi-part privileged task causes trouble because
granting the privilege to perform its parts is far more than should be
granted to perform the conceptual task, and eventually one of them will
be impractically difficult to solve by pushing the whole task into some
already-existing privileged process.

I'm not sure. We can't base our design on speculations, we'll have to
actually look for more problems like this. Perhaps we'll find them
faster with people trying to use the new secmodel features. :)


Home | Main Index | Thread Index | Old Index