On 06/04/09 19:48, Peter Memishian wrote: > > I guess, we could provide some 'privileges bracketing', using functions > > defined in <priv.h>, allowing the 'file_dac_write' to be enabled only > > when needed and will be disabled for the most part. > > What is the threat model we're concerned about here? > If the privilege is still in the limit set, then it's trivial for an exploit > to acquire the privilege and do whatever.
We will clear up the limit set at the start of th program. This privilege will move into effective set from permitted set only when needed. With limit/inheritable set being empty nobody can spawn a process out of ipadm and take the system for ride. thanks ~Girish
