Gentoo Archives: gentoo-dev

From:	Peter Stuge <peter@×××××.se>
To:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] Re: Looking for alternative to RESTRICT=userpriv
Date:	Fri, 03 Oct 2014 03:01:31
Message-Id:	`20141003030120.18350.qmail@stuge.se`
In Reply to:	[gentoo-dev] Re: Looking for alternative to RESTRICT=userpriv by "Steven J. Long"

1	Steven J. Long wrote:
2	> On Tue, Sep 30, 2014 at 07:52:02AM -0700, Zac Medico wrote:
3	> > The IPC implementation that I've suggested does not involve an SUID
4	> > helper, so it is much more secure. Security would rely on the permission
5	> > bits of the named pipes that are used to implement IPC.
6	..
7	> I don't see how that's "more secure"
8
9	It's a lot more secure to have a single well-defined privileged trust
10	anchor (the privileged process) with a well-defined protocol, than to
11	have built-in privilege escalation which allows arbitrary actions.
12
13
14	> Not sure what a daemon buys you
15
16	Not requiring built-in privilege escalation.
17
18
19	//Peter

Subject	Author
[gentoo-dev] Re: Re: Looking for alternative to RESTRICT=userpriv	"Steven J. Long" <slong@××××××××××××××××××.uk>