On Thu, 10 Feb 2000, Matthew Kirkwood wrote:
> > You'll get that when the filesystem support for capabilities goes in.
> >
> > Alternatively, tighten up the bounding set as part of your system
> > initialisation scripts.
>
> Read what the man says, Chris. He wants to be able to decree that
> setuid programs (for example) don't get CNBS without breaking inetd.
>
> I don't believe that this is functionality for its own sake. If
> you think or it as a sysctl which allows you to turn off bits of
> SECURE_NO_SETUID_FIXUP.
It _is_ functionality for its own sake, because the design of the
capabilities system gives you the tools you need. We will have filesystem
support soon. Once you have that, the solution becomes one of userspace
setup rather than kernel support. Complexity is better in userspace than
the kernel.
We don't want to introduce temporary kernel tweaks between now and such
time as we have filesystem support for capabilities, because then people
will _use_ that support and we could get stuck with it.
Cheers
Chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Feb 15 2000 - 21:00:19 EST