Date: Wed, 24 Jun 1998 21:20:39 +0100 From: njs3@doc.ic.ac.uk (Niall Smart) To: dg@root.com, tqbf@pobox.com Cc: easmith@beatrice.rutgers.edu (Allen Smith), njs3@doc.ic.ac.uk, dima@best.net, security@FreeBSD.ORG, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question Message-ID: <E0yow23-00039B-00@oak67.doc.ic.ac.uk> In-Reply-To: David Greenman <dg@root.com> "Re: bsd securelevel patch question" (Jun 24, 11:47am)
next in thread | previous in thread | raw e-mail | index | archive | help
> for granting access to privileged resources and capabilities. I think the > best way to handle this, however, is with a file ACL mechanism that allows > for the specification of privileges as and extension of the access control > information. On the other hand, in VMS, special privileges can be granted to Of course, this implies that all permissions can be represented in the filesystem. I can imagine a /dev/socket/inet/xyz mechanism which allows a process to bind to a specific port or /dev/raw which allows them to create a raw socket etc etc. This gets somewhat messy for the above example since it is difficult to administer things like ranges (eg ports 0 to 1024) using a single device file for each element in that range, and any other approach (e.g. /dev/socket/inet/0-1024) seems to lose the cleanliness offered by the "single file for everything" approach. Niall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0yow23-00039B-00>