[rsbac] AUTH capabilities

Amon Ott rsbac@rsbac.org
Wed Nov 13 09:59:01 2002

On Tuesday, 12. November 2002 21:57, Pallai Roland wrote:
> On Mon, 2002-11-11 at 11:53, Amon Ott wrote:
> > The check in seteuid has been removed some versions ago, because seteuid 
> > no consequence for the RSBAC models. The cleanest way to check it would 
> > probably be an extra request CHANGE_DAC_EFF_OWNER with additional AUTH 
> > sets.
>  I agree, it could help a lots when we need to restrict a setuid capable
> daemon which run as a user..  may I hope that, if this feature will be
> part of the RSBAC in the near future?

OK, I will put it on my To-Do-List. If we change it anyway, we should 
probably also add CHANGE_DAC_FS_OWNER and yet another AUTH set.

A warning to you: It will make the AUTH setup more complicated, because all 
the seteuid and setfsuid cases will have to be configured as well. So the 
extra sets and checks in AUTH will be optional, the requests not.

>  anyway, RSBAC is a damn good stuff, congratulations, Amon! :)

Thanks. :)