* Luc Pardon (lucpat_private) wrote: > Hi, > > Some thoughts from a humble programmer. > > > We're not trying to add "will I be able to do > > this" syscalls ! > > Not that it wouldn't be usefull (though I don't have > > any example in mind right now), > > An application developer may want to inform the user that (s)he > doesn't have sufficient rights to do something, without actually attempt > to do that "something" and set off all kinds of alarms. Sysadmins hate > false alarms (rightly so), and tend to extend that feeling to the users > that provoke them. Compare it to the "this program must be run as root" > message that many utitities issue. No. 1) We have tons of "legacy code" to support (i.e. sendmail, postfix, apache, bin-utils, etc). It is not going to be re-written to make use of these hooks. 2) This can put uncessary load on the kernel. Security policies can be complex. In some cases you may not have all the information you need to make in informed decision until late in the game. This means the "can i do it" check would have to follow that same path...locking things, allocating things, etc. This works fine for a simple (euid == 0) policy. 3) Do check then do action is not atomic. This presents a classic TOCTOU problem. So the check could pass, but when you go to perform the action the something could have changed and you could get denied (or vice-versa). 4) Giving people a means to probe the policy to find out what they can and can't do with no logging is akin to giving people a way to nmap your firewall with no alarms going off. -chris _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 17:31:08 PDT