From owner-freebsd-security Mon Aug 28 2:54:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 2780F37B422; Mon, 28 Aug 2000 02:54:15 -0700 (PDT) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.8.7/8.8.7) with ESMTP id TAA05658; Mon, 28 Aug 2000 19:54:10 +1000 Date: Mon, 28 Aug 2000 20:54:09 +1100 (EST) From: Bruce Evans X-Sender: bde@besplex.bde.org To: Robert Watson Cc: freebsd-security@FreeBSD.ORG, phk@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: Review request: replacing p_trespass(), modifications to vaccess() In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 27 Aug 2000, Robert Watson wrote: > I've put up a patch that makes fairly extensive changes to the structure > (but hopefully not the semantics) of inter-process authorization checks: > > http://www.freebsd.org/~rwatson/p_stuff.diff Most of this seems reasonable. > 3) Modify vaccess() so that it is restructured for more careful/ordered > use of privilege, and so that capability support can be added more > easily. This should be semantically the same from a results > perspective, but it is more careful to do a discretionary access > check before falling back in privilege, et al. As such, the KSU ASU? > accounting bit will now be set correctly in vaccess() for processes > running as uid 0, if they use privilege to access a file rather > than discretionary rights. vaccess() currently intentionally doesn't set ASU, since checking for access doesn't require any privilege. ASU should only be set if privileged access is used, e.g., upon successful completion of an open(2) call that needed privilege to succeed, but never for access(2). Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message