Re: RFC: Network privilege separation.

From: david
Date: Thu Jan 08 2009 - 01:50:12 EST

Next message: H. Peter Anvin: "Re: initrd panic"
Previous message: Roland Dreier: "Re: 64 bit PCI access using MMX register -- how?"
In reply to: Andi Kleen: "Re: RFC: Network privilege separation."
Next in thread: Oliver Hartkopp: "Re: RFC: Network privilege separation."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 8 Jan 2009, Andi Kleen wrote:

On Wed, Jan 07, 2009 at 09:31:11PM -0500, Michael Stone wrote:
-- if it's different from Joe User's regular uid, then where did it come
from and how is Joe going to clean it up when he no longer needs it?

You always create joe-nonet one when you create joe

Now writing to joe's files: you can either use ACLs or do everything
through group accesses (it's very common to have a "joe" group for this
purpose for each user)

But perhaps it's a good idea to not allow writing to all of Joe's
files by those "no network" processes too. It at least sounds like
that might be useful to combine.

there are times when that would be nice, but it's also a bit of a pain to have to change the permissions so that joe-nonet can access all the files that joe can access (they will have to be set with the correct group ownership and hope that there wasn't a reason to use any other group)

David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: H. Peter Anvin: "Re: initrd panic"
Previous message: Roland Dreier: "Re: 64 bit PCI access using MMX register -- how?"
In reply to: Andi Kleen: "Re: RFC: Network privilege separation."
Next in thread: Oliver Hartkopp: "Re: RFC: Network privilege separation."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]