[future patch] dropping user privileges on demand

Thu Aug 21 13:43:19 PDT 2003

On Thu, Aug 21, 2003 at 01:09:15PM -0400, ari wrote:
+> [...] The programmer
+> should be able to drop filesystem creation permissions, without worrying
+> about the need to drop open, mkfifo, bind, link, symlink, mkdir, and any
+> other system calls that happen to be available in this particular kernel
+> version. [...]

In CerbNG you only need to write a macro like:

	#define	DROP_FS_CREATION()					\
	if (syscall == SYS_open || syscall == SYS_mkfifo ||		\
	    syscall == SYS_bind || syscall == SYS_link || ...) {	\
		return (EPERM);						\
	}

+> Of course it isn't a well-known standard.  It hasn't even been written
+> yet, aside from some proof-of-concept code that i have yet to package up
+> and put on the site.  Nor was systrace a well-known standard before it
+> was written (not that it's necessarily a "standard" now, though it is
+> quite popular).  I wouldn't expect programmers to immediately begin
+> using this code; if it catches on, however, and it's implemented in a
+> number of different operating systems, then there stands a greater
+> chance.  If it doesn't catch on and isn't used, then so be it.

As I said. Stuff like systrace or cerb doesn't need to be standarized,
because it is transparent for applications. It doesn't need any work from
userland application programmer. That's why it is easy to addopt for
non-BSD-licensed applications or even for non-open-source applications.

-- 
Pawel Jakub Dawidek                       pawel at dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20030821/98ce44f7/attachment.bin