Re: Addition to kauth(9) framework

To: Christos Zoulas <christos%zoulas.com@localhost>
Subject: Re: Addition to kauth(9) framework
From: Alistair Crooks <agc%pkgsrc.org@localhost>
Date: Mon, 29 Aug 2011 16:57:42 +0200

On Mon, Aug 29, 2011 at 09:19:11AM -0400, Christos Zoulas wrote:
> On Aug 29,  7:54pm, mrg%eterna.com.au@localhost (matthew green) wrote:
> -- Subject: re: Addition to kauth(9) framework
> 
> | 
> | > > In article <20110829003259.913F014A289%mail.netbsd.org@localhost>,
> | > > YAMAMOTO Takashi <yamt%mwd.biglobe.ne.jp@localhost> wrote:
> | > >>hi,
> | > >>
> | > >>> I'd like to apply the attached patch.
> | > >>> It implements two things:
> | > >>> 
> | > >>> - chroot(2)-ed process is given new kauth_cred_t with reference count
> | > >>>   equal to 1.
> | > >>
> | > >>can you find a way to avoid this?
> | > >>
> | > >>YAMAMOTO Takashi
> | > > 
> | > > He tried and I think that this is the minimal hook he needs.
> | > 
> | > do you mean that we need to unshare the credential unconditionally,
> | > regardless his module is used or not?  why?
> | 
> | maybe it's just me, but i actually have absolutely no problem
> | with chroot unsharing kauth_cred_t by default.  it just seems
> | to have more generic safety aspects.
> 
> I share the same sentiment; I don't see the change as a big deal.

Likewise - the whole idea behind chroot is the isolatino of
operations, and I can only see the unsharing of kauth_cred_t by
default as helping this.

Maybe I'm missing something here?

Thanks,
Alistair

References:
- re: Addition to kauth(9) framework
  - From: matthew green
- re: Addition to kauth(9) framework
  - From: Christos Zoulas

Prev by Date: Re: CVS commit: src/sys/arch/xen
Next by Date: netbsd32 emulation in driver open() or read()
Previous by Thread: re: Addition to kauth(9) framework
Next by Thread: Re: Addition to kauth(9) framework
Indexes:

Home | Main Index | Thread Index | Old Index