Re: [PATCH 0/4] MultiAdmin LSM

[Pavel Machek]

Hi!

> Subject: [PATCH 0/4] MultiAdmin LSM
>          (was: Re: Time to remove LSM
>          (was: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks))
> 
> 
> 0. Preface
> ==========
> Thanks to Greg who, requiring me to post more-split patches, made me
> reconsider the code. I did nothing less than to simplified the whole patch
> cruft (shrunk by factor 10) and removed what seemed unreasonable. This
> thread posts MultiAdmin *1.0.5*.
> 
> 
> 
> 1. Super-short description
> ==========================
> Three user classes exist (determined by user-defined UID ranges),
>     - superadmin, the usual "root"
>     - subadmin
>     - normal users
> 
> A usual (non-multiadm,non-selinux) system has only one superadmin (UID 0)
> and a number of normal users, and the superadmin can operate on
> everything.
> 
> The "subadmin" can read in some superadmin-only places, and is allowed to
> fully operate on processes/files/ipc/etc. of normal users. The full list
> (possibly incomplete) of permissions is available in the README.txt
> (includes short description) in the out-of-tree tarball.
> [http://freshmeat.net/p/multiadm/]

I guess you should really split CAP_SYS_ADMIN into some subsets that
make sense... along with explanation why subsets are 'right'.

							Pavel
-- 
Thanks, Sharp!
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/