Re: [PATCH] Allow restricting permissions in /proc/sys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3.11.2019 19.56, Theodore Y. Ts'o wrote:
On Sun, Nov 03, 2019 at 04:55:48PM +0200, Topi Miettinen wrote:
Several items in /proc/sys need not be accessible to unprivileged
tasks. Let the system administrator change the permissions, but only
to more restrictive modes than what the sysctl tables allow.

Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>

Why should restruct the system administrator from changing the
permissions to one which is more lax than what the sysctl tables?

The system administrator is already very much trusted.  Why should we
take that discretion away from the system administrator?

That could make sense, in addition changing UID/GID would allow even more flexibility. The current checks and restrictions which prevent those changes were already present in original code in 2007. I didn't want to change the logic too much. Perhaps loosening the restrictions could be a follow-up patch, as it may give chance to use more of generic proc or fslib code and thus a larger restructuring.

-Topi



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux