Date: Tue, 29 Aug 2000 00:09:34 +1100 (EST) From: Bruce Evans <bde@zeta.org.au> To: Robert Watson <rwatson@FreeBSD.ORG> Cc: freebsd-security@FreeBSD.ORG, phk@FreeBSD.ORG, green@FreeBSD.ORG Subject: Re: Review request: replacing p_trespass(), modifications to vaccess() Message-ID: <Pine.BSF.4.21.0008282356180.11320-100000@besplex.bde.org> In-Reply-To: <Pine.NEB.3.96L.1000828082839.83018A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 28 Aug 2000, Robert Watson wrote:
> In the various p_can* calls, I have a *privused argument, intended to
> allow the caller to determine whether or not privilege would be used to
> perform the access authorized by the pcan* calls. In my capability tree,
> the ASU flag is not set by suser(), rather by an independent suser_used(p)
> call, which is called based on a cumulative privilege flag, once some part
> of the operation commits persistently. The same technique could easily be
> applied in vaccess(). However, I have received comments from a number of
> people that the ASU flag introduces more complexity than it is worth:
> they'd rather see reduced structural complexity, and lose the ASU flag.
> In any case, I'd like to see suser() used in vaccess(), centralizing the
> super-user decision, regardless of whether ASU is provided for, meaning
> that to correctly maintain ASU, it must not be set in suser().
>
> With that reasoning in mind, do you think ASU can be {temporarily,
> permanently} deprecated/broken?
I think it should be permanently dropped from normal kernels, but your
work seems to require even more flags like it, at least for debugging.
I'm not sure how well complexity for extra security can be localised.
Bruce
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008282356180.11320-100000>