Casey Schaufler wrote: >And in a DAC only world that's understandable because you're >allowed to look at the attributes even if the file mode is 000. >In a MAC world, however, you won't be permitted to look at >the attributes that tell you its a directory if you're not >cleared to read the file. This is the way that all LSPP systems >work today. > See David Miller's response to the networking hooks, and imagine trying to convince him of the merit of putting security checks ahead of error checking :-) Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet"
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 19:07:30 PST