[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20071005004454.A10105@mrwint.cisco.com>
Date: Fri, 5 Oct 2007 00:44:54 +0100
From: Derek Fawcus <dfawcus@...co.com>
To: Chuck Ebbert <cebbert@...hat.com>
Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel
On Thu, Oct 04, 2007 at 07:18:47PM -0400, Chuck Ebbert wrote:
> > I ran firefox setuid to a different (not my main user), uid+gid, gave
> > my main account that gid as a supplemental group, and gave that uid
> > access to the X magic cookie.
>
> You need to use runxas to get any kind of real security.
Interesting script - sad how everyone reinvents equivalent things.
I had been experimenting with running the whole lot under Xnest,
with two extra users - one for the Xnest which had the main X
cookie, and another for the browser. But found that it was just
too awkward (since I use multiple browser windows as well a tabs).
So I ended up trading a small security gain vs usablity.
The other thing I started playing with was the NX version of Xnest,
since it allows for a rootless server...
DF
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists