> * a Bounding Set that serves as a fail-safe mechanism to ensure users
> cannot acquire more privilege beyond what they have been authorized
Excellent, yes, please implement this set. It should merely be the matter
of an extra mask in the compute_creds function, and a couple more calls to
drop bits from this mask.
I perceieve the main benefit of this for users like "nobody"; with an
empty bounding set the user really can be "unprivileged", in the sense
they can't try and exploit your SUID/privileged programs to gain a root
shell etc.
Cheers
Chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu