Re: [future patch] dropping user privileges on demand

[Peter Jeremy <PeterJeremy@optushome.com.au>]

On Thu, Aug 21, 2003 at 10:44:03PM +0200, Pawel Jakub Dawidek wrote:
>On Thu, Aug 21, 2003 at 01:09:15PM -0400, ari wrote:
>+> [...] The programmer
>+> should be able to drop filesystem creation permissions, without worrying
>+> about the need to drop open, mkfifo, bind, link, symlink, mkdir, and any
>+> other system calls that happen to be available in this particular kernel
>+> version. [...]
>
>In CerbNG you only need to write a macro like:
>
>	#define	DROP_FS_CREATION()					\
>	if (syscall == SYS_open || syscall == SYS_mkfifo ||		\
>	    syscall == SYS_bind || syscall == SYS_link || ...) {	\
>		return (EPERM);						\
>	}

Unless 'syscall' can be evaluated at compile time, this approach adds
overhead whereever it is used - and the overhead gets worse as the
number of system calls in the set increases.  A particular problem is
that the overhead is worst for system calls that aren't caught (in the
above, the overhead for open() is trivial but write() would need to go
through each of the tests).  A bit-vector provides constant overhead
but it's still fairly expensive unless the relevant parts of the vector
are already cached.

>As I said. Stuff like systrace or cerb doesn't need to be standarized,
>because it is transparent for applications. It doesn't need any work from
>userland application programmer. That's why it is easy to addopt for
>non-BSD-licensed applications or even for non-open-source applications.

This isn't good enough.  It _does_ need to be standardised so that the
administrator doesn't have to learn N radically different approaches
to secure a system.  As far as the userland application programmer is
concerned, there's very little difference between any flavour of Un*x.
There are massive differences between them when it comes to
administration.  

Peter