From: Solar Designer <solar@openwall.com>
To: kernel-hardening@lists.openwall.com
Subject: Re: [kernel-hardening] procfs {tid,tgid,attr}_allowed mount options
Date: Wed, 10 Aug 2011 15:22:46 +0400 [thread overview]
Message-ID: <20110810112246.GA30492@openwall.com> (raw)
In-Reply-To: <20110810100227.GA3507@albatros>
On Wed, Aug 10, 2011 at 02:02:27PM +0400, Vasiliy Kulikov wrote:
> One question: do we really need gid= option? The only user I know is
> identd, but does anybody use it nowadays?
identd is mostly obsolete, but I am using gid= with 2.4.x-ow kernels to
let a group of sysadmins see all users' processes and network
connections without having to use su. In fact, I use it on my very own
computers - again, to let my main desktop user account see everything,
while not letting my pseudo-user accounts (that I use for things such as
a web browser) also see everything (they're not in group proc).
> With gid= I see 2 drawbacks:
>
> 1) Code becomes worse because of additional permission checks.
>
> 2) From the upstream's point of view it is very limited and unextendable
> feature.
This feature is precisely what I needed and used for over a decade.
I never needed more flexibility. Maybe this says something.
> So, I'd go further without gid=, at least for the beginning.
I don't know what works best for upstream acceptance in the beginning,
but I definitely want this feature to get in, and it is a must for Owl.
Thanks,
Alexander
next prev parent reply other threads:[~2011-08-10 11:22 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20110603191153.GB514@openwall.com>
2011-06-04 5:47 ` [kernel-hardening] Re: procfs mount options Vasiliy Kulikov
2011-06-04 13:20 ` [kernel-hardening] " Solar Designer
2011-06-04 20:09 ` Vasiliy Kulikov
2011-06-04 20:59 ` Solar Designer
2011-06-05 18:24 ` [kernel-hardening] [RFC v1] " Vasiliy Kulikov
2011-06-05 19:26 ` Solar Designer
2011-06-05 19:47 ` Vasiliy Kulikov
2011-06-05 20:10 ` Solar Designer
2011-06-06 18:08 ` Vasiliy Kulikov
2011-06-06 18:33 ` Solar Designer
2011-06-08 17:23 ` [kernel-hardening] [RFC v2] " Vasiliy Kulikov
2011-06-08 17:43 ` Vasiliy Kulikov
2011-06-12 2:39 ` Solar Designer
2011-07-24 18:55 ` Vasiliy Kulikov
[not found] ` <20110724185036.GC3510@albatros>
2011-07-26 14:50 ` Vasiliy Kulikov
2011-07-29 17:47 ` [kernel-hardening] procfs {tid,tgid,attr}_allowed " Vasiliy Kulikov
2011-08-04 11:23 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-10 10:02 ` Vasiliy Kulikov
2011-08-10 11:22 ` Solar Designer [this message]
2011-08-10 11:25 ` [kernel-hardening] " Solar Designer
2011-08-10 12:04 ` Vasiliy Kulikov
2011-08-10 13:34 ` Solar Designer
2011-08-12 18:14 ` Simon Marechal
2011-06-06 19:20 ` [kernel-hardening] [RFC v1] procfs " Vasiliy Kulikov
2011-06-05 19:17 ` [kernel-hardening] " Vasiliy Kulikov
2011-06-05 19:40 ` Solar Designer
2011-06-05 19:53 ` Vasiliy Kulikov
2011-06-05 18:36 ` [kernel-hardening] Re: [owl-dev] " Vasiliy Kulikov
2011-06-05 18:47 ` [kernel-hardening] " Solar Designer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110810112246.GA30492@openwall.com \
--to=solar@openwall.com \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.