On Sat, 19 Feb 2000 14:51:51 -0500
Theodore Y. Ts'o wrote:
>
> [...] So the first question is whether we want to try to
> conform to the last POSIX draft, and (as much as possible) be compatible
> with the other Trusted Unixes out there.
That's very important. Yes.
> [...]
> Now, with all of that being said, if you don't want the full
> POSIX model, it's probably easier to simply leave things the way they
> are right now, and not try to put anything in the filesystem. Just
> simply allow programs to be setuid root, and then let them drop
> whatever capabilities they don't need as soon as they start running in
> main() --- hopefully before any stack overrun vulnerabilities have a
> chance to execute. :-)
The kernel should boot up in non-trusted mode (with root and SUID root binaries
recieving full capabilities, as it's implemented now).
A simple syscall could then switch the kernel to trusted mode. Afterwards, root
is treated as all other others.
Switching to trusted mode then can easily be done in init scripts, ...
Of course, there shouldn't be a way to switch back to non-trusted mode...
Regards,
Andreas
------------------------------------------------------------------------
Andreas Gruenbacher, a.gruenbacher@computer.org
Contact information: http://www.bestbits.at/~agruenba
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Feb 23 2000 - 21:00:24 EST