[rsbac] AUTH capabilities
Amon Ott
rsbac@rsbac.org
Wed Nov 13 09:59:01 2002
On Tuesday, 12. November 2002 21:57, Pallai Roland wrote:
> On Mon, 2002-11-11 at 11:53, Amon Ott wrote:
> > The check in seteuid has been removed some versions ago, because seteuid
has
> > no consequence for the RSBAC models. The cleanest way to check it would
> > probably be an extra request CHANGE_DAC_EFF_OWNER with additional AUTH
cap
> > sets.
>
> I agree, it could help a lots when we need to restrict a setuid capable
> daemon which run as a user.. may I hope that, if this feature will be
> part of the RSBAC in the near future?
OK, I will put it on my To-Do-List. If we change it anyway, we should
probably also add CHANGE_DAC_FS_OWNER and yet another AUTH set.
A warning to you: It will make the AUTH setup more complicated, because all
the seteuid and setfsuid cases will have to be configured as well. So the
extra sets and checks in AUTH will be optional, the requests not.
> anyway, RSBAC is a damn good stuff, congratulations, Amon! :)
Thanks. :)
Amon.
--
http://www.rsbac.org