From owner-freebsd-hackers Tue Sep 22 09:15:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA00984 for freebsd-hackers-outgoing; Tue, 22 Sep 1998 09:15:22 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from pau-amma.whistle.com (s205m64.whistle.com [207.76.205.64]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA00891 for ; Tue, 22 Sep 1998 09:15:00 -0700 (PDT) (envelope-from dhw@whistle.com) Received: (from dhw@localhost) by pau-amma.whistle.com (8.8.8/8.8.7) id JAA14748; Tue, 22 Sep 1998 09:14:11 -0700 (PDT) (envelope-from dhw) Date: Tue, 22 Sep 1998 09:14:11 -0700 (PDT) From: David Wolfskill Message-Id: <199809221614.JAA14748@pau-amma.whistle.com> To: freebsd-hackers@FreeBSD.ORG, ncb05@uow.edu.au Subject: Re: follow-up to lkm query In-Reply-To: Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >Date: Tue, 22 Sep 1998 10:14:04 +1000 (EST) >From: Nicholas Charles Brawn >To give you an idea of what i'm working on, I have a security mod that >temporarily replaces syscalls (execve, link, symlink, write, etc), >performs some access-control, then passes back to the original syscall. Hmmm.... >I'd like to be able to modify the acl via userland if possible, and one >such thought was to have two lkms, one which was for "admin" purposes, >such as modifying the acl list, and the other which actually did the >work and performed authentication/etc by calling the other one. >Anyway, if anyone could offer any suggestions I would be much appreciative. No specific suggestions just yet, but in the dozen years I spent as an MVS systems programmer, installing, maintaining, and writing "user exits" to take advantage of RACF ("Resource Access Control Facility") was one of my specialties, and I'm certainly willing to help where I can. [RACF was(/is? -- been away for a few years) often referred to as a "security" product, which is something that I find misleading (at best); rather, it's a product that handles user authentication, administrative facilities for manipulating ACLs, and auditing. The actual "resource control" isn't done by RACF at all (save for control over its internal resources), but by code in other parts of the system, such as OPEN or IKJTSO00.... I wrote code, for example, to use RACF ACLs to control which disks would be written to when a file was created or extended -- among (several!) other things....] david -- David Wolfskill UNIX System Administrator dhw@whistle.com voice: (650) 577-7158 pager: (650) 371-4621 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message