Devdas Bhagat wrote: > On Fri, 13 Jul 2001, Crispin Cowan spewed into the ether: > > As I understand Shane's original request, it is to get away from the > > UNIX all-or-nothing "root" security model, without totally throwing away > > UNIX. Seth is correct that pure capability-based OS's like KeyOS and > > EROS don't have this problem, but that is not the only way to solve this > > problem. > Ok. How about starting simplifying life first? > Other than history, is there *any* reason to allow the first 1024 ports > bindable only by root? Since malicious users can now have root access > to their own systems, the rationale for restricting the lower ports to > be accessible only to root is no longer valid. Remove that restriction > and a whole lot of things become simpler. > In this case, each program has its own space, its own user and its own > privileges. Waaay back in the dawn of LSM (April :-) we chartered this list to talk about the design & implementation of the LSM interface. We explicitly excluded discussion of security architecture & research in general. The reason is because security architecture & research chat is a bottomless pit of endless discussion, and we want to keep this list focussed on accomplishing LSM's goals. Therefore, we restrict discussion to features needed to support already established security models, and not features required to support nifty new ideas. We do recognize that discussing security architecture, research, and nifty new ideas is a fully legitimate thing to do, and needs a forum. To that end, JM Jones created some alternate mailing lists for discussing this kind of thing. You can find them here http://lsm.antisoft.com/ What Devdas is suggesting is, in essance, a proposal for a new LSM module. Go ahead and develop that idea. Use the LSM hooks as you need them. Discuss the idea on the lsm-discussionat_private mailing list. Come back here if you find that the LSM interface is missing features that you need to implement your module idea. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sat Jul 14 2001 - 14:57:26 PDT