Date: Fri, 17 Apr 1998 17:33:00 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Dima Ruban <dima@best.net> Cc: Matthew Hunt <mph@pobox.com>, stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: kernel permissions (part II) Message-ID: <Pine.BSF.3.96.980417172838.11132D-100000@trojanhorse.pr.watson.org> In-Reply-To: <199804170645.XAA13015@burka.rdy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Apr 1998, Dima Ruban wrote: > How about change like this (I didn't implement it yet, but it's not be a big > deal). > Right now we have a mount flag "nosuid". It serves it's mission, > but I'd love to have some flexibility on this. > Example is ISP enviroment (again :-). You want to allow users to have > suid to them programs, but at the same time you feel bad about having > suid programs for uids less than something (let's say 100). > > How about to implement this? Via mount options or something else? > Let's say, one wants to allow users to have suid programs, if uid on suid > program is greater than N and less than M. I was playing with this idea at one point, but still am not sure it is the best solution. One thing that might be nice to see (if layering support gets fixed) would be a POSIX capabilities layer to reduce the number of setuid programs needed. In an ISP environment, what setuid programs do you have in mind that users would use? I have never tried the setuid cgi wrapper I've heard described in the context of apache, for example. Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980417172838.11132D-100000>