Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)

From: Michael Stone
Date: Sun Jan 10 2010 - 20:43:18 EST

Next message: Casey Schaufler: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Previous message: David Wagner: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
In reply to: Tetsuo Handa: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Next in thread: Serge E. Hallyn: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tetsuo Handa wrote:

Michael Stone wrote:
Examples of software that I want to be able to gain privileges normally include:

rainbow, which requires privilege in order to add new accounts to the system
and in order to call setuid() but which does not require networking
privileges.

If the system is not using local files (i.e. /etc/passwd and /etc/shadow),
the process who wants to add new accounts to the system might need network
access (e.g. to LDAP server), doesn't it?

General purpose account manipulation tools might need network access but
rainbow handles all its account manipulations via state stored in
/var/spool/rainbow/2. This state is made available to the rest of the system
via libnss_rainbow.

Michael
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Casey Schaufler: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Previous message: David Wagner: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
In reply to: Tetsuo Handa: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Next in thread: Serge E. Hallyn: "Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]