On Apr 6, 2005, at 12:20 PM, Steven M. Bellovin wrote:

>> What about introducing a concept of nonce-uids? Each process would
>> be assigned a temporary uid distinct from all other extant
>> uids. This would be even more powerful than the
>> dummy-uid-per-daemon model, since it would prevent (say) two
>> pflogd processes from interfering with each other.
>>
>
> A good idea, but we still need a way to say what files it can access,
> which is why I mentioned systrace.

Right, and with systrace, you don't even need separate UIDs.  User  
"daemon" plus a well-written systrace policy should pretty much cover  
it.

-- thorpej