> How about implementing a new field in the process structure, which gives
> the SMALLEST possible uid for this process? standard would be 0, but could
> be raised by all|root to any other value, maybe root could want lower it too.
>
Limiting set(re)uid seems like a nice extension, but I think the proposed
mechanism is wrong.
I had an idea, a while back, to change the setuid / setgid semantics a bit
when using ACLs (which are themselves still a future idea...); my idea is
to move the two bits indicating setuid and setgid to *each* entry in the
ACL. This way, I can set- for each program- not just *who* can use it,
but *what permissions* they'll get when they do. (In a similar vein, if
we ever add support for forced capability sets to the filesystem, we can
use a similar idea and give varying capabilities to each user).
This also solves the server situation- simply set the set[ug]id bits only
in ACLs, and only for users / groups that aren't restricted. Then the
more `restricted' users won't see the programs as setuid at all.
-az
------------------------+----------------------------------------------------
. __ | Phone: +972 3 5340753 (home), +972 3 9685882 (work)
_| / | email: alonz@usa.net
/ | /_ Alon Ziv | smail: 33 Ha-Rama St., Ganey Tiqwah 55900, Israel
------------------------+----------------------------------------------------
<<<(((this place reserved for that ultra-wise oneliner I haven't found.)))>>>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/