[rsbac] AUTH capabilities

Amon Ott rsbac@rsbac.org
Wed Nov 13 09:59:01 2002

Previous message: [rsbac] AUTH capabilities
Next message: [rsbac] Take ownership concepts
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tuesday, 12. November 2002 21:57, Pallai Roland wrote:
> On Mon, 2002-11-11 at 11:53, Amon Ott wrote:
> > The check in seteuid has been removed some versions ago, because seteuid 
has 
> > no consequence for the RSBAC models. The cleanest way to check it would 
> > probably be an extra request CHANGE_DAC_EFF_OWNER with additional AUTH 
cap 
> > sets.
> 
>  I agree, it could help a lots when we need to restrict a setuid capable
> daemon which run as a user..  may I hope that, if this feature will be
> part of the RSBAC in the near future?

OK, I will put it on my To-Do-List. If we change it anyway, we should 
probably also add CHANGE_DAC_FS_OWNER and yet another AUTH set.

A warning to you: It will make the AUTH setup more complicated, because all 
the seteuid and setfsuid cases will have to be configured as well. So the 
extra sets and checks in AUTH will be optional, the requests not.

>  anyway, RSBAC is a damn good stuff, congratulations, Amon! :)

Thanks. :)

Amon.
--
http://www.rsbac.org

Previous message: [rsbac] AUTH capabilities
Next message: [rsbac] Take ownership concepts
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]