Subject: Re: kern.showallprocs implementation
To: Elad Efrat <elad@NetBSD.org>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-kern
Date: 08/30/2005 11:09:32
--pvezYHf7grwyp3Bc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Aug 30, 2005 at 07:16:23PM +0300, Elad Efrat wrote:
> Steven M. Bellovin wrote:
>=20
> > Compatibilty is a good thing, in my opinion.  I suggest that we find=20
> > out why FreeBSD picked the name they did.
>=20
> http://sysctl.enderunix.org/view.php?id=3D19&lang=3Den
>=20
> ``The security.bsd sysctl hierarchy sets global properties of the BSD
> security model. The following sysctls are defined:''
>=20
> This is the name chosen for this node by FreeBSD.
>=20
> If we have a closer look at the features, we can clearly see that they
> (most of them) were definately not introduced in FreeBSD, nor any BSD:

I think you are missing the point. My understanding is it's not that the
features were definitively introduced in FreeBSD or in a BSD, it's the
model used for privilege designation and deliniation.

> see_other_uids, see_other_gids - 3rd-party patches for these were around
> for years.
>=20
> hardlink_check_uid, hardlink_check_gid - These were implemented by Solar
> Designer (first in Openwall, now Owl) for almost a decade now.
>=20
> suser_enabled - out of the question for us, at the moment.

Total tangent, why is this not possible as a readable node?

> conservative_signals, unprivileged_proc_debug,
> unprivileged_read_msgbuf, unprivileged_get_quota- don't we want these
> per-program (perhaps inside a per-program policy..?) or per-user?
>=20
> Bottom line is that these features are not any ``BSD security model''
> that was discussed; it's a collection of commonly requested features
> as implemented in FreeBSD. I see no reason to keep any compatibility.

I think you're missing the forest for the trees. Look at the names.=20
"unprivileged_" this and "unprivileged_" that. How does the kernel know if=
=20
something's privileged or not? UID 0. And I think that's why it's the=20
"BSD security model." It runs on UID/EUID/GID/EGID and such.

Sure, it could have been the "unix" security model (modulo the fact that
"UNIX" is a trademark in the USA). It could have been the "traditional" =20
model, but that's kinda long to type. But it's not, it's "bsd". Since
there's prior art, if we are doing the same thing as prior art (even if we
do it our own way), why not use the same name?

If I thought the naming was because it was a "coherent security model=20
introduced in *BSD," then I would agree with you strongly about the name=20
being inappropriate. :-)

Take care,

Bill

--pvezYHf7grwyp3Bc
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFDFKDcWz+3JHUci9cRAoQFAJ9O1cFUGMbpiRZ1sSo8aItYwueC0wCfXx6F
VriZrhZ8FfQIlcjI5fjQ7KY=
=qJZM
-----END PGP SIGNATURE-----

--pvezYHf7grwyp3Bc--