Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)

From: Pavel Machek
Date: Thu Jan 14 2010 - 04:23:02 EST

Next message: Pavel Machek: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Previous message: Jens Axboe: "Re: [PATCH v2 2/2] cgroups: blkio subsystem as module"
In reply to: Valdis . Kletnieks: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Next in thread: David Wagner: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Tue, 12 Jan 2010 08:59:27 +0100, Pavel Machek said:
>
> > Well, maybe, but mailer system where first user starts is as a daemon
> > makes sense...
>
> Does it? How do you get port 25 open for listening if the first user isn't
> root? Most *actual* schemes to "launch at first use" that require privs for
> something have used inetd or similar - that program exists for a
> *reason*.

Remember sendmail is setuid root... so it already has the permissions.

Except that proposed disablenetwork would take network connectivity
even from setuid apps.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Pavel Machek: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Previous message: Jens Axboe: "Re: [PATCH v2 2/2] cgroups: blkio subsystem as module"
In reply to: Valdis . Kletnieks: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Next in thread: David Wagner: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]