Date: Tue, 24 Sep 2002 19:44:46 -0400 From: "Brian T. Schellenberger" <bts@babbleon.org> To: "David P. Reese Jr." <daver@gomerbud.com>, Juli Mallett <jmallett@freebsd.org> Cc: hackers@freebsd.org Subject: Re: Just a wild idea Message-ID: <200209241944.46384.bts@babbleon.org> In-Reply-To: <20020924080914.GA2870@tombstone.localnet.gomerbud.com> References: <013f01c2320d$10ceff00$6401a8c0@dchristenson> <20020924080914.GA2870@tombstone.localnet.gomerbud.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You can get a somewhat similar effect right now (that is, root being not permitted to mess with your files) by using "cfs." Ok, true, root can still destroy your files by using the underlying "real" file system, but he can't view or manipulate them in their plaintext form. I must say that when I first installed cfs I was quite taken aback when, as root, I encountered this: i8k# ls /c/bts ls: bts: Operation not permitted i8k# Of course, it's not at all the same thing, really--root just has to 'su' to the ordinary user and then he gains privileges to the file, but you can never at one moment have the power of root *and* access to the files in the cfs file system. (Unless root is the one attached to them, of course.) On Tuesday 24 September 2002 04:09 am, David P. Reese Jr. wrote: | On Mon, 23 Sep, 2002, Lamont Granquist wrote: | >> Maybe just replace all suser(9) uses with MAC credential checks, | >> and install MAC_UNIX by default, which would be set up to behave | >> like ye olden UNIX... Who knows. | > | >Something like that sounds like a really good idea. I'd like to see | > this not only for binding to low ports but also, for example, to | > set the system time -- this would let you run ntpd as non-root. | > | >It'd be interesting to have a system one day where once you've gone | > past single user mode, root drops all its privs and acts just like | > a normal user account and daemon accounts only have special privs | > handed out to them in little chunks. | | This is starting to sound a bit too much like Plan9. Here is a very | short snippit on filesystem permissions from the document at: | http://plan9.bell-labs.com/wiki/plan9/KFS_file_system_configuration/i |ndex.html | | [snip] | There is no super-user; the closest equivalent is the person who | booted the terminal (generically called Eve; Adm owns the file | server). Most devices are owned by Eve, and the local kernel will let | Eve do most things commonly associated with a super-user (for | example, debug or kill processes she doesn't own). Eve's power does | not extend past the local machine, though, or even into the kfs file | system. The important difference is that the kfs file system is being | provided by a user process, which has its own permissions checking | separate from the kernel, and it does not care to let the hostowner | have special permissions directly. | [snip] -- Brian, the man from Babble-On . . . . bts@babbleon.org (personal) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209241944.46384.bts>