In message <EA4F2C46-75A0-427F-AB5D-39CDD0130963@shagadelic.org>, Jason Thorpe 
writes:
>
>On Apr 6, 2005, at 12:20 PM, Steven M. Bellovin wrote:
>
>>> What about introducing a concept of nonce-uids? Each process would
>>> be assigned a temporary uid distinct from all other extant
>>> uids. This would be even more powerful than the
>>> dummy-uid-per-daemon model, since it would prevent (say) two
>>> pflogd processes from interfering with each other.
>>>
>>
>> A good idea, but we still need a way to say what files it can access,
>> which is why I mentioned systrace.
>
>Right, and with systrace, you don't even need separate UIDs.  User  
>"daemon" plus a well-written systrace policy should pretty much cover  
>it.
>

Yup -- but we need the policies and, I suspect, a framework to use them 
properly.

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb