Re: POSIX.6 (or 1.b now or something)

Andrew G. Morgan (morgan@parc.power.net)
Mon, 9 Jun 1997 14:05:23 -0700 (PDT)

Chris Evans wrote:
> I think POSIX.6 security would be a great thing to have in Linux 2.2.
> Surely a POSIX.6 implementation (or one based on its ideas) is not too
> much hassle. In fact with finals concluding soon I may attempt it myself
> :)
>
> However -- I know someone was hacking at POSIX.6 a while back, D. Moffat
> was it? There was even a preliminary patch. Is work still ongoing? Anyone
> got an offical spec. sheet for the thing?

Darren has got a job working on Trusted Solaris: he sometimes has time to
contribute comment to the list now...

> I ask because I have the number of suid binaries on my system down to a
> very low number, and the following remaining are just begging for a subset
> of root privs:
>
> ping, traceroute: priv = open raw socket
> ssh,rlogin,rcp,r<etc> priv = open socket num < 1024
>
> Other useful privilege subsets would of course be read any file, tty
> chowning/chmoding, etc.

In the latest draft, privileges got renamed "capabilities" and happily they
are 99% implemented now. (Zefram and I finished up what Darren had
started a month or so ago.)

Work is still progressing. It is hampered by the fact that few have a copy
of the draft standard. If you want to get on the list, subscribe to

linux-privs-request@mit.edu

(which is manually maintained by Ted Ts'o).

For patches against 2.0.30

http://parc.power.net/morgan/Orange-Linux/linux-privs/index.html

I am currently working on the auditing component. Remy Card is reportadly
working on the ACL stuff although this has been somewhat delayed because of
a Linux book he has been writing.

Best wishes

Andrew

-- 
               Linux-PAM, libpwdb, Orange-Linux and Linux-GSS
                  http://parc.power.net/morgan/index.html