With all due respect I don't want "more interesting" --
I want "more secure" and "more confidence inspiring."
sendmail is "interesting"
tcp_wrappers is closer to what I want.
> The basic idea is that while code in a protected shared library is
> executing, it has some level of privileges which is different from when
> the normal program is running. Jumps into protected shared library from
> the normal program is only allowed at certain "call gates", to programs
> from trying to spoof the library by jumping into the middle of the
> routine. Naturally, any data pages used by the protected shared library
> would be read protected against the unprivileged portion of the program
> unless the PSL is itself actually running.
>
> This allows you to do all sorts of very interesting things all in
> userspace, without needing extra special-purpose system calls and
> without requiring an IPC mechanism. It does require a kernel
> context-switch to enter and leave a PSL, but if it's done properly, that
> should be the only overhead.
>
> - Ted
But it's still SUID. Now you'd have SUID shared libraries
-- yuck! What's wrong with a client/server model? Define
protocols and implement some means of passing resources
(such as open file handles) and delegating privileges
(such as access to a given "privileged" TCP port).
The more I think about it the more I see why KeyKOS, EROS,
Hydra and other "research" OS' espouse "capabilities."
I just wonder how a "capabilities" subsystem could be
implemented in Linux -- with some hope of applications
transparency.
--
Jim Dennis (800) 938-4078 consulting@starshine.org
Proprietor, Starshine Technical Services: http://www.starshine.org
PGP 1024/2ABF03B1 Jim Dennis <jim@starshine.org>
Key fingerprint = 2524E3FEF0922A84 A27BDEDB38EBB95A