Re: New Security Features, Please Comment

From: Peter Teoh
Date: Wed Dec 03 2008 - 19:22:23 EST

On Thu, Dec 4, 2008 at 8:00 AM, Geoffrey McRae <geoff@xxxxxxxxxxxxx> wrote:
> The setuid/gid concept in linux is very limited, it would be nice to be
> able to grant programs limited use of setuid, and even go one step
> further, grant programs limited ability to set child uids.

Yes, there can be many other variation on what u have just said, eg,
adding conditions whereby the grant can be used, etc. If u have a
chance to learn a little bit of SELinux, u will know the whole thing
can be very complex, especially the rules and policies configuration.
It is a fine balance between overheads vs performance and usability.

> To be completly honest, this is the kind of functionallity I expected to
> already be there, and I was hopeing someone would tell me to RTFM on
> function X that already does this...

Yes, I am sure it exists...and more likely than not, it can be very
application specific, and therefore, will be done by the higher-end
application in userspace.

But looking beyond, is there any other OS that may have something
similar? (Windows, or OpenBSD etc?) Not sure for me.

Peter Teoh

Ernest Hemingway - "Never mistake motion for action."
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at