re: Addition to kauth(9) framework

To: mrg%eterna.com.au@localhost
Subject: re: Addition to kauth(9) framework
From: yamt%mwd.biglobe.ne.jp@localhost (YAMAMOTO Takashi)
Date: Tue, 30 Aug 2011 00:30:28 +0000 (UTC)

>> > In article <20110829003259.913F014A289%mail.netbsd.org@localhost>,
>> > YAMAMOTO Takashi <yamt%mwd.biglobe.ne.jp@localhost> wrote:
>> >>hi,
>> >>
>> >>> I'd like to apply the attached patch.
>> >>> It implements two things:
>> >>> 
>> >>> - chroot(2)-ed process is given new kauth_cred_t with reference count
>> >>>   equal to 1.
>> >>
>> >>can you find a way to avoid this?
>> >>
>> >>YAMAMOTO Takashi
>> > 
>> > He tried and I think that this is the minimal hook he needs.
>> 
>> do you mean that we need to unshare the credential unconditionally,
>> regardless his module is used or not?  why?
> 
> maybe it's just me, but i actually have absolutely no problem
> with chroot unsharing kauth_cred_t by default.  it just seems
> to have more generic safety aspects.

if you want safety for bugs, it's better to make modification attempts
(eg. kauth_cred_setuid) automatically unshare the cred.  iirc it's
what apple does.

YAMAMOTO Takashi

> 
> 
> .mrg.

References:
- re: Addition to kauth(9) framework
  - From: matthew green

Prev by Date: Areca 1880?
Next by Date: Re: Addition to kauth(9) framework
Previous by Thread: Re: Addition to kauth(9) framework
Next by Thread: Re: Addition to kauth(9) framework
Indexes:

Home | Main Index | Thread Index | Old Index