Subject: Re: security/10206 - proposed solution (concept)
To: Elad Efrat <elad@NetBSD.org>
From: Bernd Ernesti <netbsd@lists.veego.de>
List: tech-security
Date: 08/17/2005 08:35:28
On Wed, Aug 17, 2005 at 06:58:02AM +0300, Elad Efrat wrote:
> Alan Barrett wrote:
> 
> > Actually, the prohibited/optional/required status could just be implied
> > by the numeric ranges, but then you'd have to use "0 means 0", not "0
> > means infinity".  For example, "upper: 0" could mean "prohibited";
> > "upper: 1-*" could mean "1 or more required"; "upper: 1-3" could mean
> > "at least 1, but no more than 3"; "upper: 0-*" could mean "any number,
> > zero or more".
> 
> Yes, but then we'd lose a bit of the readability. This is hardly
> time-critical code, and in fact should be very clear to the admin as to
> what the configuration means.

Thats what a manpage is for.

> I can change the range syntax, though.

I like the idea from Alan, so you have more flexibility to use a finer
policy.
And don't forget to use sane defaults if that files doesn't exist or
defines not all entries.

Bernd