Speaking of de-rooting-
Could you just add a /dev/ports/ directory or something along those =
lines to
then chown specific ports to any user you wanted: <daemon>d, for =
example?

Then you would just have to work on building a protected environment for
that specific user?  It was just an idea I had in rush hour yesterday
afternoon and I haven't come up with a way to test it yet.

_Matt

-----Original Message-----
From: Chuck Yerkes [mailto:chuck+nbsd@2003.snew.com]
Sent: Friday, August 08, 2003 1:12 AM
To: current-users@NetBSD.org
Subject: Re: Miscellaneous OS features


But back on NetBSD - which lets me run a 266MHz Alpha as a desktop
just fine.  Virtual machines are tempting.  But there are many
things in between that are equally tempting.  That holy grail of
breaking up "root" and losing some of it's binary-ness (you've got
all power or you don't) has been a long time coming.

OpenBSD's approach has been to "de-root" many of the daemons that run
quite actively.  portmap runs as user _portmap, same for ssh and many
others.

Give me ACL access to files might be a neat thing. I recall how
nice that was to get back after a mainframe (CDC cyber-something)
had it then using VMS 3.x without it and getting it back in VMS 4.

How many of us have played group games with people jumbled around
in 14 different groups so they could see this file or that directory?

I'd rather be able to lock users into areas due to privilege than
try to manage 30 virtual machines.  It's enough to manage one machine
per virtual machine.

okay, enough topic drift....