On Fri, 11 Feb 2000 tytso@valinux.com wrote:
[snip]
> Well, there's a trade off here. If you could have 32 bits basically
> almost right away, and more would take longer, which would you choose?
> Also, keep in mind that more bits is not necessarily good. There is a
> *huge* complexity cost in maintaining capabilities. People have enough
> trouble keeping track of the 12 bits of permissions on a per file
> basis. This adds one or two orders of magnitude of more bits for every
> executable.
[snip]
Figured I peep in here. I'm running a system that makes heavy use of caps.
Every daemon is in a chroot jail, every processes that needs more then
normal user access, uses capabilities. I've even globally droped some caps
(the rawio/blockdevice cap provided by a patch).
I'm very familar with 'the' unix kernel, and lowlevel programming. But
even with that knoweldge it was often difficult getting the caps right.
Complexity = security holes.
If we go to many more caps, it will be virtually impossible for anyone but
gurus to safely use them, and since it's a platform specific thing, I
don't know how many applications will use them out of the box.
It might be useful for someone to instrument strace so that it could tell
you what caps a bin is using.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Feb 15 2000 - 21:00:20 EST