On Thu, Aug 21, 2003 at 01:58:54AM -0500, Dan Nelson wrote: +> Have you taken a look at Cerb? http://cerber.sourceforge.net/ +> +> It does something similar, but uses a C-like language to control a +> processes actions. This lets you get extremely fine-grained control +> (allow httpd to bind to only port 80, once), but the rules run as +> "root", so they can grant as well as revoke privileges. A useful +> modification would be to allow users to submit their own policies that +> can only disallow actions (i.e. all arguments and process variables are +> read-only, and the script can either pass the syscall through or return +> a failure code, nothing else).
I'm planing to do so in next CerbNG version, as well as allow jailed-roots to load rules that affects only jailed-processes. -- Pawel Jakub Dawidek [EMAIL PROTECTED] UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net
pgp00000.pgp
Description: PGP signature
