1998-12-17 15:29:50[permalink] [raw]
Peter Benie writes:
> Stefan Monnier <monnier+misc/[email protected]> wrote:
>> [email protected] (Peter Benie) wrote:
>>> I don't actually see the point of implementing a read-only loopback
>>> mount. There are already protection mechanisms in the kernel to
>>> prevent one user from writing to another user's files. If you need to
>>> run a program so that it cannot write to any files, just run the
>>> program under a different uid.
>> Following the same reasoning: why allow things like `chmod u-w' since
>> the user can change it back anyway !
> Huh? I can't see how that follows, and I don't understand the point
> that you're trying to make.
> What I'm saying is that there are standard ways under Unix to stop
> programs from writing to your files
> To use the kernel's existing protection mechanisms that protect
> non-zero uids from each other.
Those protection mechanisms are likely to fail.
The NSA even has a report on the failure of normal access control:
The report explains why access control failure is inevitable, at least
with the normal controls provided by unix and NT. They advocate some
more advanced methods that help prevent mistakes.