Subject: Re: CVS commit: src/etc
To: Christopher Richards <richards+netbsd@CS.Princeton.EDU>
From: Steven M. Bellovin <email@example.com>
Date: 04/06/2005 15:20:12
In message <csbekdnzphj.fsf@CS.Princeton.EDU>, Christopher Richards writes:
>On Wed, 06 Apr 2005 13:22:02 -0400, Steven M. Bellovin wrote:
>> There are often lots of reasons to disagree with them; this isn't one
>> of them. We really want to limit the damages that can be done by any
>> single malfunctioning program.
>> A more interesting question is whether or not there's a better way,
>> since lots of special-purpose logins create their own manageability
>> headaches. Perhaps something with systrace?
>What about introducing a concept of nonce-uids? Each process would
>be assigned a temporary uid distinct from all other extant
>uids. This would be even more powerful than the
>dummy-uid-per-daemon model, since it would prevent (say) two
>pflogd processes from interfering with each other.
A good idea, but we still need a way to say what files it can access,
which is why I mentioned systrace.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb