From owner-freebsd-security Thu Jun 25 04:36:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA19565 for freebsd-security-outgoing; Thu, 25 Jun 1998 04:36:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA19553 for ; Thu, 25 Jun 1998 04:36:25 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199806251136.EAA19553@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA120274511; Thu, 25 Jun 1998 21:35:11 +1000 From: Darren Reed Subject: Re: bsd securelevel patch question To: njs3@doc.ic.ac.uk (Niall Smart) Date: Thu, 25 Jun 1998 21:35:11 +1000 (EST) Cc: dg@root.com, tqbf@pobox.com, easmith@beatrice.rutgers.edu, njs3@doc.ic.ac.uk, dima@best.net, security@FreeBSD.ORG, abc@ralph.ml.org, tqbf@secnet.com In-Reply-To: from "Niall Smart" at Jun 24, 98 09:20:39 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Niall Smart, sie said: > > > for granting access to privileged resources and capabilities. I think the > > best way to handle this, however, is with a file ACL mechanism that allows > > for the specification of privileges as and extension of the access control > > information. On the other hand, in VMS, special privileges can be granted to > > Of course, this implies that all permissions can be represented in > the filesystem. I can imagine a /dev/socket/inet/xyz mechanism which > allows a process to bind to a specific port or /dev/raw which allows > them to create a raw socket etc etc. This gets somewhat messy for the > above example since it is difficult to administer things like ranges > (eg ports 0 to 1024) using a single device file for each element in that > range, and any other approach (e.g. /dev/socket/inet/0-1024) seems to > lose the cleanliness offered by the "single file for everything" approach. sockets can easily be done with portals, for which it is easy to do the above (been there, done that for a small trial). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message