[TUHS] Who's behind the UNIX filesystem permission implementation

Grant Taylor gtaylor at tnetconsulting.net
Thu Aug 1 04:46:02 AEST 2019

On 7/31/19 11:00 AM, Toby Thain wrote:
> It may not address "all aspects" since it has been necessary for some 
> purposes to extend the permission model substantially over time, such 
> as ACLs, SELinux, etc.

I thought that ACLs acted as additional gates / restriction points 
beyond what standard Unix file system permissions allowed.  Meaning that
ACLs couldn't /add/ permission, but they could /remove/ permission.

I think SELinux behaves similarly.  It blocks (removes) existing 
permissions.  Beyond that, I think SELinux is filtering (removing) 
permissions when comparing what (who) is running combined with what is 
being run further combined with what it is being run against.  So again, 
removing existing permissions.

The only thing that I'm aware of that actually /adds/ permissions is the 
capability subsystem.  It can give an unprivileged user the ability to 
run a binary that can bind to a port below 1024.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20190731/2087badd/attachment.bin>

More information about the TUHS mailing list