> I approve of the functionality this patch provides very much; suddenly a
> whole _stack_ of suid root binaries need not be so.
The functionality is also essential to building high-end firewalls, but
removing the necessity behind running network daemons as suid was the
major part of the motivation behind PACL; glad you approve.
> However, I will get the same benefit from POSIX.1e when Linux supports it,
> and this latter way has the advantage of conforming to a standard.
> Granted, we wouldn't have the same granularity :-)
That's exactly it; you won't get the same granularity. Once the FIXMEs
from my original message are fixed, I think that PACL can be a much
better solution to the problem.
> Nice hack though, I'll try it out. Just don't be surprised if your patch
> isn't scheduled for inclusion in the kernel by the powers that be....
I like to think of it as offering a superset of POSIX.1e, not as
being incompatible. Even if it isn't, I'm going to pretend that it's
a superset, at least. 8^)
Seriously, just because POSIX does something in a conservative and
unsatisfactory manner does not, per se, mean that we can't do something
better. Of course, PACL may very well not be that something, but I'd
like to see similar functionality, one way or another, in the kernel.
I don't think that PACL is, on its face, unacceptable, but time will tell;
I will ask for inclusion eventually.
-- Todd Graham Lewis Manager of Web Engineering MindSpring Enterprises (800) 719-4664, x2804 Linux! tlewis@mindspring.net