From owner-freebsd-hackers  Mon Sep 23 11:23:58 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 931)
	id 96AB537B401; Mon, 23 Sep 2002 11:23:57 -0700 (PDT)
Date: Mon, 23 Sep 2002 11:23:57 -0700
From: Juli Mallett <jmallett@FreeBSD.org>
To: Lamont Granquist <lamont@scriptkiddie.org>
Cc: Paul Schenkeveld <fb-hackers@psconsult.nl>,
	FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject: Re: Just a wild idea
Message-ID: <20020923112355.A53617@FreeBSD.org>
References: <20020922213311.A99425@FreeBSD.org> <20020923023031.D7466-100000@coredump.scriptkiddie.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20020923023031.D7466-100000@coredump.scriptkiddie.org>; from lamont@scriptkiddie.org on Mon, Sep 23, 2002 at 02:37:31AM -0700
Organisation: The FreeBSD Project <http://FreeBSD.org>
X-Alternate-Addresses: <jmallett@NewGold.NET>, <jmallett@xMach.org>, <juli@jerkcity.com>, <flata@toxic.magnesium.net>, <jmallett@OpenDarwin.org>
X-Towel: Yes
X-LiveJournal: flata, jmallett
X-Negacore: Yes
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

* De: Lamont Granquist <lamont@scriptkiddie.org> [ Data: 2002-09-23 ]
	[ Subjecte: Re: Just a wild idea ]
> 
> On Sun, 22 Sep 2002, Juli Mallett wrote:
> > Maybe just replace all suser(9) uses with MAC credential checks, and
> > install MAC_UNIX by default, which would be set up to behave like
> > ye olden UNIX...  Who knows.
> 
> Something like that sounds like a really good idea.  I'd like to see this
> not only for binding to low ports but also, for example, to set the system
> time -- this would let you run ntpd as non-root.
> 
> It'd be interesting to have a system one day where once you've gone past
> single user mode, root drops all its privs and acts just like a normal
> user account and daemon accounts only have special privs handed out to
> them in little chunks.

One day?  It's really easy to do, especially once you have a way for init
to set privs for the children easily, and you can just have your rc scripts
work with init.
-- 
Juli Mallett <jmallett@FreeBSD.org>       | FreeBSD: The Power To Serve
Will break world for fulltime employment. | finger jmallett@FreeBSD.org
http://people.FreeBSD.org/~jmallett/      | Support my FreeBSD hacking!

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message