lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 12 May 2008 15:06:26 -0700 (PDT)
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	Olaf Dietsche <olaf+list.linux-kernel@...fdietsche.de>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] 2.6.25: access permission filesystem 0.21


--- Olaf Dietsche <olaf+list.linux-kernel@...fdietsche.de> wrote:

> This patch adds a new permission managing file system.
> Furthermore, it adds two modules, which make use of this file system.
> 
> One module allows granting capabilities based on user-/groupid.

Hmm. The primary purpose of the capability mechanism, according
to the POSIX P1003.1e/2c working group*, is to separate the
privilege mechanism from the userid mechanism. You are now
reintegrating them two mechanims, albiet differently than
they were integrated before. You can already achieve this end
using filesystem based capabilties and mode bits and/or ACLs,
so why the change?

> The
> second module allows to grant access to lower numbered ports based on
> user-/groupid, too.

Woof. As reasonable as mode bits on ports seems, there's an
awful lot of tradition associated with the privileged port
model. I can see the value in it, I've actually implemented
it in the past in the Unix world, but I have never seen anyone
willing to take advantage of the scheme. 


-----
* As I'm the only member of that working group who ever pipes
  up here, you'll have to take my word for it. (smiley)


Casey Schaufler
casey@...aufler-ca.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ