It scares me too! Imagine the possibilities of hijacking a program
that is able to make such system calls!!
In general, this sort of function call makes it hard to mandate a
provable policy for enforcing privilege on a system. You might like
to read the guidelines given in the Orange Book:
http://parc.power.net/morgan/Orange-Linux/refs/Orange/Orange0-4.html#ss4.4
The (draft) POSIX.1e extensions (as implemented by linux-privs)
overload the filesystem to restrict privileges in two ways:
1. this program is allowed to raise these (and only these)
capabilities (aka. privileges)
2. this program is allowed to inherit these capabilities
from the chain of execution.
The more I have played with this, the more I am convinced that this
scheme _is_ really well thought out. [For the uninitiated, a
capability is a very small component to the omnipotence of the
"super-user". For example, POSIX mandates a single capability for
overriding the ability to bind to a privileged port: sendmail would
get this one but not the (Linux specific) one that enables it to
reconfigure a firewall...]
The shared library idea is something else, and probably not so bad.
So far as I can see it is a logical extension of using helper binaries
for code that does not need to run in parallel and so minimizes
race/locking and other communication problems. Implementing it, imho,
would be a good thing.
Cheers
Andrew
__
new job - new sig file under construction...