The Unix Heritage Society mailing list
 help / color / mirror / Atom feed
From: Grant Taylor via TUHS <tuhs@minnie.tuhs.org>
To: tuhs@minnie.tuhs.org
Subject: Re: [TUHS] Who's behind the UNIX filesystem permission implementation
Date: Wed, 31 Jul 2019 12:46:02 -0600	[thread overview]
Message-ID: <b08a5508-0fc7-3a02-772c-405717c152f1@spamtrap.tnetconsulting.net> (raw)
In-Reply-To: <e28d95ae-5696-7479-d967-1b754aaa56b0@telegraphics.com.au>

[-- Attachment #1: Type: text/plain, Size: 986 bytes --]

On 7/31/19 11:00 AM, Toby Thain wrote:
> It may not address "all aspects" since it has been necessary for some 
> purposes to extend the permission model substantially over time, such 
> as ACLs, SELinux, etc.

I thought that ACLs acted as additional gates / restriction points 
beyond what standard Unix file system permissions allowed.  Meaning that
ACLs couldn't /add/ permission, but they could /remove/ permission.

I think SELinux behaves similarly.  It blocks (removes) existing 
permissions.  Beyond that, I think SELinux is filtering (removing) 
permissions when comparing what (who) is running combined with what is 
being run further combined with what it is being run against.  So again, 
removing existing permissions.

The only thing that I'm aware of that actually /adds/ permissions is the 
capability subsystem.  It can give an unprivileged user the ability to 
run a binary that can bind to a port below 1024.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4008 bytes --]

  parent reply	other threads:[~2019-07-31 18:46 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-31  9:59 Stephan Han.
2019-07-31 16:49 ` Rodrigo G. López
2019-07-31 17:29   ` Arthur Krewat
2019-07-31 17:58     ` Clem Cole
2019-07-31 18:03     ` Christopher Browne
2019-07-31 20:16     ` Arthur Krewat
2019-07-31 17:00 ` Toby Thain
2019-07-31 17:18   ` Warner Losh
2019-07-31 22:24     ` William Corcoran
2019-07-31 22:49       ` George Michaelson
2019-07-31 18:46   ` Grant Taylor via TUHS [this message]
2019-07-31 19:01     ` Clem Cole
2019-07-31 19:34     ` Ben Greenfield via TUHS

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b08a5508-0fc7-3a02-772c-405717c152f1@spamtrap.tnetconsulting.net \
    --to=tuhs@minnie.tuhs.org \
    --cc=gtaylor@tnetconsulting.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).