On Fri, 12 Jul 1996 07:26:50 +0100, Matthias Urlichs
<smurf@smurf.noris.de> said:
> IMHO, securelevel is a stopgap hack until the finer-grained
> permission test / ACL stuff is here. "root" can do _anything_ to the
> system; always could, and always will, until we get rid of that
> singular root account (eg., make susuer() always return false if the
> securelevel is high enough; but that needs the aforementioned stuff
> in order to work in the real world).
The POSIX.6 code won't suddenly make securelevel obsolete --- the two
mechanisms are quite orthogonal and are both useful in improving
system securizty. For example, programs like insmod will need to have
POSIX.6 permission to access kernel memory, but the sysadmin might
well want to selectively revoke all access to kmem in multiuser
runlevels, even for privileged programs like insmod.
POSIX.6 only gives you per-program and per-process granularity; it
doesn't give you time-based granularity with the ability to enable and
disable an entire security ring on a system-wide basis at run time.
securelevel gives you the latter without the former. If we want to
allow admins to really secure their boxes, we want to keep bothh
mechanisms around (although admittedly we need to give securelevel
much finer granularity to make it really useful in such an
environment).
Cheers,
Stephen.
-- Stephen Tweedie <sct@dcs.ed.ac.uk> Department of Computer Science, Edinburgh University, Scotland.