Adam Olsen <[EMAIL PROTECTED]> writes:
> "Niels M�ller" wrote:
> > I start my own auth-server, which runs as me, with all my privileges.
> > Then I start the untrusted script in such away that it has no
> > privileges at all with the standard authserver (i.e. like the system's
> > no-uid" user). However, it could talk to my auth-server, which could
> > proxy some requests to the real auth server, and in that way delegate
> > some of my privileges.
> The real question here is if it's possible to prevent them from using
> the normal hurd auth server. If you can't then it could always
> circumvent the entire thing, unless it's the default server that's
> modified to use subusers.
You're right, I guess. What is the usual way for a new process to
obtain a port to the auth server (or other system servers)? Does it
get an open port when it is started, or does it open /hurd/auth or
somesuch? In the latter case, the process must first get hold of a
port to the filesystem, so we'd need a special filesystem to enforce
the restrictions of the untrusted "sub-user"-process.
/Niels
