LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Complexity

Complexity

Posted Sep 24, 2004 6:07 UTC (Fri) by Ross (subscriber, #4065)
In reply to: Complexity by walters
Parent article: An introduction to SELinux

I think the other poster was suggesting something like heiarchical userids
so that users could run subprocesses with a different set of rights than
the parent process. To avoid priviledge escalation these would have to be
strictly one-directional. Similar support for groups would also be nice.

The question is what would the interface look like and how much would it get
in the way. If it was too difficult to use people might as well use a non-
Unix-like solution like SELinux.

(Capabilities are useless as currently defined in the kernel unless you are
trying to restrict what a program running as uid-0 can do. None of the
operations which normal users can perform can be disabled.)

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds