On 3.11.2019 19.56, Theodore Y. Ts'o wrote:
On Sun, Nov 03, 2019 at 04:55:48PM +0200, Topi Miettinen wrote:
Several items in /proc/sys need not be accessible to unprivileged
tasks. Let the system administrator change the permissions, but only
to more restrictive modes than what the sysctl tables allow.
Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>
Why should restruct the system administrator from changing the
permissions to one which is more lax than what the sysctl tables?
The system administrator is already very much trusted. Why should we
take that discretion away from the system administrator?
That could make sense, in addition changing UID/GID would allow even
more flexibility. The current checks and restrictions which prevent
those changes were already present in original code in 2007. I didn't
want to change the logic too much. Perhaps loosening the restrictions
could be a follow-up patch, as it may give chance to use more of generic
proc or fslib code and thus a larger restructuring.
-Topi