Re: [PATCH 0/4] MultiAdmin LSM

From: James Morris
Date: Tue May 02 2006 - 00:22:36 EST

Next message: Neil Brown: "Re: better leve triggered IRQ management needed"
Previous message: Charles Shannon Hendrix: "Re: OOM kills if swappiness set to 0, swap storms otherwise"
In reply to: Adrian Bunk: "Re: [PATCH 4a/4] MultiAdmin LSM (LKCS'ed)"
Next in thread: Pavel Machek: "Re: [PATCH 0/4] MultiAdmin LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This module implements two distinct ideas:

(1) Multiple superusers with distinct UIDs.

More than one root on a system I think is generally regarded as a bad
idea. I'm not sure why you'd use a scheme like this instead of, say, sudo
or custom setuid helpers for specific tasks -- whatever the case, I think
such issues can be addressed entirely in userspace.

(2) Partially decomposing the superuser and protecting some users from
some decomposed superusers, and decomposing CAP_SYS_ADMIN.

This is a special-case security policy hard-coded into the kernel. It
lacks a clear design rationale, and does not seem amenable to analysis, as
its access control coverage is incomplete.

As already suggested, it may be worth looking at just decomposing
CAP_SYS_ADMIN, although it's not clear how do to this correctly for the
general case.

- James
--
James Morris
<jmorris@xxxxxxxxx>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Neil Brown: "Re: better leve triggered IRQ management needed"
Previous message: Charles Shannon Hendrix: "Re: OOM kills if swappiness set to 0, swap storms otherwise"
In reply to: Adrian Bunk: "Re: [PATCH 4a/4] MultiAdmin LSM (LKCS'ed)"
Next in thread: Pavel Machek: "Re: [PATCH 0/4] MultiAdmin LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]