tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Addition to kauth(9) framework
On Mon, Aug 29, 2011 at 09:19:11AM -0400, Christos Zoulas wrote:
> On Aug 29, 7:54pm, mrg%eterna.com.au@localhost (matthew green) wrote:
> -- Subject: re: Addition to kauth(9) framework
>
> |
> | > > In article <20110829003259.913F014A289%mail.netbsd.org@localhost>,
> | > > YAMAMOTO Takashi <yamt%mwd.biglobe.ne.jp@localhost> wrote:
> | > >>hi,
> | > >>
> | > >>> I'd like to apply the attached patch.
> | > >>> It implements two things:
> | > >>>
> | > >>> - chroot(2)-ed process is given new kauth_cred_t with reference count
> | > >>> equal to 1.
> | > >>
> | > >>can you find a way to avoid this?
> | > >>
> | > >>YAMAMOTO Takashi
> | > >
> | > > He tried and I think that this is the minimal hook he needs.
> | >
> | > do you mean that we need to unshare the credential unconditionally,
> | > regardless his module is used or not? why?
> |
> | maybe it's just me, but i actually have absolutely no problem
> | with chroot unsharing kauth_cred_t by default. it just seems
> | to have more generic safety aspects.
>
> I share the same sentiment; I don't see the change as a big deal.
Likewise - the whole idea behind chroot is the isolatino of
operations, and I can only see the unsharing of kauth_cred_t by
default as helping this.
Maybe I'm missing something here?
Thanks,
Alistair
Home |
Main Index |
Thread Index |
Old Index