[TUHS] Who's behind the UNIX filesystem permission implementation
Grant Taylor
gtaylor at tnetconsulting.net
Thu Aug 1 04:46:02 AEST 2019
On 7/31/19 11:00 AM, Toby Thain wrote:
> It may not address "all aspects" since it has been necessary for some
> purposes to extend the permission model substantially over time, such
> as ACLs, SELinux, etc.
I thought that ACLs acted as additional gates / restriction points
beyond what standard Unix file system permissions allowed. Meaning that
ACLs couldn't /add/ permission, but they could /remove/ permission.
I think SELinux behaves similarly. It blocks (removes) existing
permissions. Beyond that, I think SELinux is filtering (removing)
permissions when comparing what (who) is running combined with what is
being run further combined with what it is being run against. So again,
removing existing permissions.
The only thing that I'm aware of that actually /adds/ permissions is the
capability subsystem. It can give an unprivileged user the ability to
run a binary that can bind to a port below 1024.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20190731/2087badd/attachment.bin>
More information about the TUHS
mailing list