brandon s. allbery writes:
> On 15 Apr, Albert D. Cahalan wrote:
>> It may be better to give group IDs flag bits. One could get
>> Netware-style trustees almost for free by using a flag bit to
>> distinguish UID and GID values. Other flag bits could specify:
>> can setgid(), can chown(), can gain access, can lose access,
>> can use for killing processes, etc.
>
> You've just reinvented capabilities.
No, not at all.
That isn't a general "can chown()"; it is gid-specific, etc.
You can't do process-level Netware trustees with capabilities.
With my suggestion, one can do: "Paul just left the company,
so we'll give the new guy read access to all of Paul's files
without changing file permissions all over the place."
There is no way capabilities can do that. Capabilities seem to
be a fairly poor solution to the console-user problem too, since
the console-user problem is one of device file access and one
does NOT want to simply grant the access-all-files capability.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Apr 15 2000 - 21:00:26 EST