Subject: Re: per-process socket security settings
To: None <tech-net@netbsd.org>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 03/11/2001 02:22:55
>>>>> "Jason" == Jason R Thorpe <thorpej@zembu.com> writes:
    Jason> On Thu, Mar 08, 2001 at 10:42:39AM +0900, itojun@iijlab.net wrote:

    >> yup, but if there's someone who would like to use IPsec'ed DNS
    >> lookup...  an option to /etc/resolv.conf may be necessary.

    Jason> Right, so if there is an option for resolv.conf, I guess it would
    Jason> work like this:

    Jason> 	- defaults to off.

    Jason> 	- if off, explicitly set policy to "don't use ipsec" when
    Jason> 	  making the DNS request.

  Is there a use case that you are thinking about here, where one would not
want to simply inherit some default? E.g. a system default, or a per-user
default? (I know that we don't have the latter)

  Also, it isn't clear to me that a non-superuser can/should be able to
override a system default.

] Train travel features AC outlets with no take-off restrictions|gigabit is no[
]   Michael Richardson, Solidum Systems   Oh where, oh where has|problem  with[
]     mcr@solidum.com   www.solidum.com   the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [