Subject: Re: CVS commit: src/etc
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Christopher Richards <richards+netbsd@CS.Princeton.EDU>
List: tech-userlevel
Date: 04/06/2005 15:15:04
On Wed, 06 Apr 2005 13:22:02 -0400, Steven M. Bellovin wrote:

> There are often lots of reasons to disagree with them; this isn't one 
> of them.  We really want to limit the damages that can be done by any 
> single malfunctioning program.
>
> A more interesting question is whether or not there's a better way, 
> since lots of special-purpose logins create their own manageability 
> headaches.  Perhaps something with systrace?

What about introducing a concept of nonce-uids? Each process would
be assigned a temporary uid distinct from all other extant
uids. This would be even more powerful than the
dummy-uid-per-daemon model, since it would prevent (say) two
pflogd processes from interfering with each other.

-- 
Chris