3 Oct 2001 nmw   » (Journeyer)

lkcl: Right you are. Except, we need to go a bit further: the Unix kernels need to support SIDs. That means throwing setuid() and friend out the window.

There will be a lot of resistance -- in fact, the idea does not advance, someone has to implement it first (perhaps one of the many "security enhanced" Linux versions out there, such as the NSA's, implements this or a suitable framework for implementing SIDs at the kernel level).

Of course, filesystems too need to support SIDs.

And the old flat UID/GID system has to remain available for backwards compatibility.

In other words, processes need to have multi-component, extensible credentials. And I say they need to have an array of creds, with each thread (or clone()ed process) having an "effective" cred array index.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!