[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: RFC: New security model secmodel_securechroot(9)
On Sun, Jul 10, 2011 at 12:58:42PM -0400, Thor Lancelot Simon wrote:
> What I ended up with on my system that started out pretty much where
> this proposal does was with a hack that used special group IDs as
Cumulating capabilities (and negations?) over all the subsiduary groups
might be a way of giving fine control.
One problem is that, historically, unix privileges have always been
based on a sledgehammer approach - if you don't want everybody to
be able to do something then only root can do it.
Even for programs the 'group execute + suid' can be used to allow
some people to run some programs. But that probably needs the limit
on the number of subsiduary groups raised significantly.
David Laight: david%l8s.co.uk@localhost
Main Index |
Thread Index |