On Tuesday December 8 2009 04:35:11 am Filip Bartmann wrote: > Dne Tue, 08 Dec 2009 00:52:27 -0500 > > Robert Connolly <rob...@linuxfromscratch.org> napsal(a): > > I want to brainstorm something I brought up before. > > > > The firefox (or irssi, or even ssh client) program could be run as > > another user/group (suid/sgid), so that it does not have permission > > to read/write/execute files it does not need. So it has less than > > your permissions. But, under this design firefox would be able to > > write to other user's cache. What is the way around this problem? > > > > chroot might be of help. The firefox client could chroot to > > ~/.firefox, running as the firefox user/group, who has permission on > > your ~/.firefox directory. Other users would not have the ability to > > do this if they're confined to this /usr/bin/ssh script. > > > > Making /usr/bin/ssh a script to use suid myusername-suid, is another > > idea, so that system users do not reuse the same user for firefox (or > > irssi, or ssh)... so it is impossible for one program to get > > permissions on another. The number of usernames in /etc/password > > skyrockets with this though... with one new user for each > > application, multiplied by each user. > > > > Access control lists can also control this, but I am looking for > > another level to create a redundancy. > > > > robert > > Why you don't use SELinux? This system solves all in this e-mail. > > Filip Bartmann
Redundancy. robert
pgp2wOY60q13n.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
