Re: PACL Announce (was Re: Experimental yet...)

linux kernel account (linker@nightshade.ml.org)
Fri, 22 Aug 1997 22:29:38 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: mlord: "Trap in smbfs (3.1.51)"
Previous message: Mr. James W. Laferriere Network Engineer: "Re: ftp.kernel.org pre-patch-2.0.31-7.gz Available (without announcement)"

I would hope that such fine grained security measures make their way in as
compile options and sysctls.. Because if they dont, once the kernel
reaches a stable state again I imagine this would be risking a split..

There are many features that many find unsutiable for the kernel in
general.. Such as super-security (like B1 and such).. Such features are
neither needed or desired by most users.. Patches for the mainstreme
kernel would suffice except these features cause rather big changes and it
is nearly impossible to use several such patches at once.. But I suppose
it will happen sooner or later.. GGI, ACLs, no-exec stack.. Not to
mention the chaos when someone takes/modifies init, xfree, a
windowmanager, some graphical utils, and makes linux-for-desktop-dummies..

Sigh, you owe the oracle some prozac..
opps.. I've been playing the oracle too much I guess.. :)

On Fri, 22 Aug 1997, Todd Graham Lewis wrote:

> On Fri, 22 Aug 1997, Chris Evans wrote:
>
> > I approve of the functionality this patch provides very much; suddenly a
> > whole _stack_ of suid root binaries need not be so.
>
> The functionality is also essential to building high-end firewalls, but
> removing the necessity behind running network daemons as suid was the
> major part of the motivation behind PACL; glad you approve.
>
> > However, I will get the same benefit from POSIX.1e when Linux supports it,
> > and this latter way has the advantage of conforming to a standard.
> > Granted, we wouldn't have the same granularity :-)
>
> That's exactly it; you won't get the same granularity. Once the FIXMEs
> from my original message are fixed, I think that PACL can be a much
> better solution to the problem.
>
> > Nice hack though, I'll try it out. Just don't be surprised if your patch
> > isn't scheduled for inclusion in the kernel by the powers that be....
>
> I like to think of it as offering a superset of POSIX.1e, not as
> being incompatible. Even if it isn't, I'm going to pretend that it's
> a superset, at least. 8^)
>
> Seriously, just because POSIX does something in a conservative and
> unsatisfactory manner does not, per se, mean that we can't do something
> better. Of course, PACL may very well not be that something, but I'd
> like to see similar functionality, one way or another, in the kernel.
>
> I don't think that PACL is, on its face, unacceptable, but time will tell;
> I will ask for inclusion eventually.
>
> --
> Todd Graham Lewis Manager of Web Engineering MindSpring Enterprises
> (800) 719-4664, x2804 Linux! tlewis@mindspring.net
>

Next message: mlord: "Trap in smbfs (3.1.51)"
Previous message: Mr. James W. Laferriere Network Engineer: "Re: ftp.kernel.org pre-patch-2.0.31-7.gz Available (without announcement)"