Girish Moodalbail writes: > On 06/04/09 19:48, Peter Memishian wrote: > > > I guess, we could provide some 'privileges bracketing', using functions > > > defined in <priv.h>, allowing the 'file_dac_write' to be enabled only > > > when needed and will be disabled for the most part. > > > > What is the threat model we're concerned about here? > > If the privilege is still in the limit set, then it's trivial for an exploit > > to acquire the privilege and do whatever. > > We will clear up the limit set at the start of th program. This > privilege will move into effective set from permitted set only when needed. > > With limit/inheritable set being empty nobody can spawn a process out of > ipadm and take the system for ride.
I think meem's point is that if it's still permitted, then an attack could put it in the effective set for the attack. Just the same, I believe that the security folks consider it good practice to bracket the use of privileges so that they're not just lingering in the effective set. Sure, it's probably just "security by obscurity," but the issue that I'm trying to confront is that giving ipadm file_dac_write gives it a lot more power than it otherwise should have, so caution is a good thing. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
