Rik van Riel wrote:
>
> On Fri, 14 Apr 2000, Linda Walsh wrote:
>
> > Set points would be at 'login', cron/at (running as a user),
> > r(sh,cp,login), and s(sh,..?). Implementation at user level
> > would probably be in a pam library.
>
> Please add httpd, sendmail/procmail, ftpd and dozens of other
> daemons (most of which are not linked to pam, so this change
> is certainly not transparent to userland).
> For quota I think we should use the EUID. This is both
> transparent and conceptually the "right" thing (if users see
> a daemon run with a particular euid, they expect that system
> limits are applied to that user).
--- I'm not talking about limits. I'm talking about an auditting ID that needs to be based on a when a user logs in and stays with them over any SUID or 'su' commands.Httpd, sendmail and all the deamons you mention would be run with the default system ID of 'init'. They are 'system' processes and as such, in a 'trusted' Computing base (TCB) they would not have a 'login' id associated with them. ftpd/rtelnetd should theoretically be using 'pam' when they start a login session. I've been told by someone else in my group, who is analyzing these functions, that rtelnetd calls login (which uses pam). On my system their are entries for both rlogin and ftpd and samba, etc in pam. So none of the demons you mention would be affected.
-l -- Linda A Walsh | Trust Technology, Core Linux, SGI law@sgi.com | Voice: (650) 933-5338
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Apr 15 2000 - 21:00:26 EST