>On Mon, 17 May 1999, Theodore Y. Ts'o wrote:
>
>> My big question with Pavel's patches is that if you're just dropping
>> privileges, why not just do it programmatically in the program?
>
>Maybe because it's often impossible without writing a new program?
>
>Let me [give] you all an example. Let's say that I installed a fresh copy of
>Linux, and I want to run program xxx as root, but I don't quite trust it
>enough to do everything, so I want to drop certain privileges. How do I do
>that?
With the system Ted Ts'o mentioned in the quoted message, what you could
do is to run:
droppriv -privilege1 -privilege2 nastyprogram args ...
where droppriv would be a generic privilege-dropping program similar to
nice(1).
I think there may be a large need for something like this, not just for
setuid-root programs, but so that ordinary users can run untrusted
programs off the net without putting their own data at risk. The Java
hype is not entirely convincing, but if they have anything there, it can
be done much more securely by putting protections in the operating
system, which then uses the computer's hardware to enforce them, than by
trusting a Java interpreter to be bug-free. Another advantage of putting
this sort of thing in the operating system would be that existing code
could be used in untrustable network programs; they wouldn't have to be
rewritten in Java.
-- Norman Yarvin yarvin@cs.yale.edu- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/