On Tue, Sep 26, 2000 at 10:07:28PM -0400, Raul Miller wrote: :Warning: I'm not an expert.
Nor I.. Additional Warning: This has turned into somewhat of a rant... However after further reading I stand by my previous assertion that slapping capapilities ontop of a Un*x like system is asking for trouble. Are we really going to get anything valuable out of this? Will portmap be able to assign reserved ports without any other privileges? Will MTA's be restricted to just running the mail queue and *appending* to mail spool files? Will this mean that every file and/or directory will need to be picked over by the kernel (or some user space deamon) if the machine is not shutdown properly (or worse even if it is) or will some checkpointing system be used to save this state (and suck up disk resources)? More to the point is this even an issue for a Distribution to take up, wouldn't these changes happen up stream (I know that some people here are also there, but...) The granularity afforded by capabilities is, IMHO, required to have a reasonably secure operating system in an open environment. But putting capabilities ontop of the blocky UN*X ACL system (especially if they can only *elevate* privilige) is likely to cause more problems than it solves both in new and more interesting security holes and overwhelming complexity for administrators (which will in turn case more security flaws of omission) If you want a capapility system find one you like and work on developing that, one that doesn't have root and does have the granularity to really restrict users/processes/files/whatever to do only what they are intended to do. I don't see this as an attainable goal in a hybrid system. The End is Nigh :) -Jon
