Subject: Re: Getting rid of /dev/veriexec
To: matthew green <mrg@eterna.com.au>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-kern
Date: 12/02/2005 15:33:04
--+pHx0qQiF2pBVqBT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Dec 03, 2005 at 10:18:20AM +1100, matthew green wrote:
> =20
> > Nathan J. Williams wrote:
> >=20
> > > I object to those, too.
> >=20
> > Why?
> =20
> The same reason; I don't like sysctl being used for things other than
> individual knobs. I'm OK with sysctl(8) as a UI, but I don't think
> that sysctl(3) does much but duplicate other infrastructure - namely,
> the filesystem.
>=20
> while i agree that using sysctl for "control" interface is not
> perhaps the right thing, using it to export data is something
> that's been true for a long time and using it to remove set-id
> bits from various apps has been a goal of the project for a
> long time. it's not just security, either - it means that ps(1)
> works always now, even 32 bit ps(1) 64 bit kernel.
To be honest, I wish we didn't use sysctl here. I think it is an abuse of
the interface. I think there are ways we could have done the same thing=20
with other methods.
That said, while I don't like what we have done with sysctl here, I think=
=20
it's MUCH better that the set-id code we had. Adding structure to the data=
=20
access is a good thing. :-)
Take care,
Bill
--+pHx0qQiF2pBVqBT
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQFDkNmwWz+3JHUci9cRAiXfAKCQua5JVwd9zl9SBatynYhsGrHPDACbBtf3
ytP5TUX7BcsBbYlZqfXXt6I=
=y+GK
-----END PGP SIGNATURE-----
--+pHx0qQiF2pBVqBT--