(Illustration by Gaich Muramatsu)
On Wed, 13 May 1998, Brian Bartholomew wrote: > > Root can fairly easily change fields in the group array on some > > systems -- so this doesn't look so nice. > > Root can write physical memory, so it can do anything it wants. Agreed. Root can (more easily) load a kernel module that gives them a new system call to set the pag of an arbitrary process. If you don't trust root on the client machine, you can't trust anything coming from that machine. I was under the impression that the pag was more of a convenience mechanism for machines on which you *do* trust root. The pag can't even force two telnet sessions by the same user to authenticate separately. One session can run a fileserver process that the other can connect to to access Coda files. What the pag *can* do is prevent process A from using process B's credentials without collusion from either process B or root, even if A and B are the same user. I can't think of any way to do this in Linux right now. Is it possible? Environment variables are inherited properly, but are publicly readable, or at least readable by that user. Filesystem files are readable by that user. File *descriptors* without the close-on-exec flag might possibly do the job with a lot of hacking. KragenReceived on 1998-05-13 09:42:24