Security models (was: [lug] KDE ...)
rm at fabula.de
rm at fabula.de
Wed Jan 9 06:32:53 MST 2002
On Tue, Jan 08, 2002 at 03:53:30PM -0700, D. Stimits wrote:
>
> Some filesystems support permissions beyond the usual user/group/other.
> The XFS filesystem supports more advanced Access Control Lists (ACL's
> for short) that go far beyond this course granularity. Check out:
> http://oss.sgi.com/projects/xfs/features.html
>
> The only thing is that XFS is not supported without getting an XFS
> kernel. But if you do this and mount a data and non-system bin
> partition, you can do extraordinary things. You *must* be certain that
> the version you get is considered "good", there are patches for various
> kernel numbers, even for RH kernels to install by, but you want a solid
> version for your running system; if you do not need to run your root
> partition on XFS, this is trivial. And XFS is *very* good performance
> and meta journalling.
Yes, i'mi aware of this. And there is capability support in the kernel as
well. The problem as i see it: there is no unified support for these
features. Programs like 'chmod' etc. need to support these features.
There's no central place (or central tool) to mangage user permissions/capa-
bilities. You need to use a plethora of tools to do something like:
"This user is a normal user _but_ is allowed to open /dev/dsp, set
realtime priority on programs that access /dev/dsp but can't use
more than x% of the CPU".
Also, most applications would need to be rewritten to take advantage
of these features. No more 'setuid(2)' just to open port 53 ....
Ralf Mattes
More information about the LUG
mailing list