31 Jul
2019
31 Jul
'19
8:46 p.m.
On 7/31/19 11:00 AM, Toby Thain wrote:
It may not address "all aspects" since it
has been necessary for some
purposes to extend the permission model substantially over time, such
as ACLs, SELinux, etc.
I thought that ACLs acted as additional gates / restriction points
beyond what standard Unix file system permissions allowed. Meaning that
ACLs couldn't /add/ permission, but they could /remove/ permission.
I think SELinux behaves similarly. It blocks (removes) existing
permissions. Beyond that, I think SELinux is filtering (removing)
permissions when comparing what (who) is running combined with what is
being run further combined with what it is being run against. So again,
removing existing permissions.
The only thing that I'm aware of that actually /adds/ permissions is the
capability subsystem. It can give an unprivileged user the ability to
run a binary that can bind to a port below 1024.
--
Grant. . . .
unix || die