Re: setuid/setgid binaries contained in the Debian repository.
Steve Greenland dijo [Mon, Aug 11, 2003 at 06:00:52PM -0500]:
> On 11-Aug-03, 13:26 (CDT), Emile van Bergen <emile-deb@evbergen.xs4all.nl> wrote:
> > But fundamentally, there is no alternative.
>
> Sure there is. It's called "fine grained privileges" or somesuch, and
> allows you to assign a user or program a specific set of priviliges or
> capabilities needed to accomplish the task at hand. That way, when the
> program is exploited, you don't give away the farm the way you do with
> Unix's all-or-nothing root user. SELinux is one implementation of this
> idea, althugh it's hardly new.
>
> And no, using specific users or groups for specific tasks is NOT
> equivalent, it's just the best we can do with the standard Unix security
> model.
Another very interesting -and IMHO more convenient- implementation of
this same idea is OpenBSD's Systrace - which has already been ported to
Linux, and is in fact present in Debian (check packages systrace,
kernel-patch-systrace and xsystrace).
Greetings,
--
Gunnar Wolf - gwolf@gwolf.cx - (+52-55)5630-9700 ext. 1366
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF
Reply to: