On Wed, Dec 23, 2009 at 10:28:28PM +0100, Casper.Dik at Sun.COM wrote: > >In the case of loopback IPC: we do not support a system with lo0 unplumbed > >because we do not know what applications will break. This proposal seems > >to result in a system that is at least as unsupportable. > > No, because it is a basic privilege and so all applications will have > the basic privileges unless they want to run without them. > > Follow on projects will allow us to select what INET connections can be > made; I do not believe that a carte blanche for "localhost" connections is > warranted: it allows sending email out through sendmail using the > submission port.
Just the ability to exec() sendmail suffices for sending e-mail; no need to talk to sendmail via a socket. Sure, you could then remove PROC_EXEC and PROC_NETWORK from a process' privilege sets, but that's pretty constraining when all you wanted initially was to disallow network communication. Also, even without this privilege one could use name services as a covert channel. Maybe nscd should not allow a calling process without this new basic privilege to do host lookups for anything other than localhost and its aliases as they appear in /etc/inet/hosts. I do agree that privileges are not suitable for fine-grained access controls on specific programs, that that's the land of FGAP and FMAC. This, not by itself but coupled with the simplicity of implementing the new privilege in socket()/t_open(), is the best rationale for this basic privilege to apply to all inet/inet6 sockets. Nico --
