Re: RFC: disablenetwork facility. (v4)

From: Valdis . Kletnieks
Date: Tue Dec 29 2009 - 16:48:49 EST


On Tue, 29 Dec 2009 15:27:22 CST, "Serge E. Hallyn" said:
> I think i disagree. A uid is just a uid (or should be). One day we may
> have a way for a factotum-style daemon to grant the ability to an unpriv
> task to setuid without CAP_SETUID. I think slingling uids and gids
> around that you already have access to should be fine.

Yes, but not doing the clear and obvious simple thing now for a "one day
we may have" consideration seems a poor engineering tradeoff.

Yes, slinging uids and gids around *would* be nice. But first we need a clear
plan for making /usr/bin/newgrp a shell builtin - once that happens, *then*
we can re-address this code. ;)

Attachment: pgp00000.pgp
Description: PGP signature