current-users: Re: Miscellaneous OS features: capabilities

Subject: Re: Miscellaneous OS features: capabilities
To: None <current-users@NetBSD.org>
From: David Young <dyoung@pobox.com>
List: current-users
Date: 08/11/2003 01:02:46

On Mon, Aug 11, 2003 at 04:15:05AM +0000, Nate Hill wrote:
> On Mon August 11 2003 02:14, David Young wrote:
> > On Fri, Aug 08, 2003 at 07:39:22AM -0400, Sporleder, Matthew wrote:
> > > Speaking of de-rooting-
> > > Could you just add a /dev/ports/ directory or something along
> > > those lines to then chown specific ports to any user you wanted:
> > > <daemon>d, for example?
> >
> >   Take it a step further. Grant the daemon *process* only the
> > privileges it needs, using the imaginary "cap" command.
> >
> > CAP(1)                       NetBSD Reference Manual               
> >      CAP(1)
> >
> > NAME
> >      cap - an imaginary program which runs a command with
> > restricted privileges
> >
> 
> This could be done quite easily. A nice front-end to a set-uid 
> systrace is needed.

  No doubt, but it is not a little backward to use a set-uid program to
  run a command with least privileges? =)

Dave

-- 
David Young             OJC Technologies
dyoung@ojctech.com      Urbana, IL * (217) 278-3933