On Wed, 13 May 1998, Brian Bartholomew wrote:
> > Root can fairly easily change fields in the group array on some
> > systems -- so this doesn't look so nice.
> 
> Root can write physical memory, so it can do anything it wants.

Agreed.  Root can (more easily) load a kernel module that gives them a
new system call to set the pag of an arbitrary process.  If you don't
trust root on the client machine, you can't trust anything coming from
that machine.

I was under the impression that the pag was more of a convenience
mechanism for machines on which you *do* trust root.

The pag can't even force two telnet sessions by the same user to
authenticate separately.  One session can run a fileserver process that
the other can connect to to access Coda files.

What the pag *can* do is prevent process A from using process B's
credentials without collusion from either process B or root, even if A
and B are the same user.  I can't think of any way to do this in Linux
right now.  Is it possible?

Environment variables are inherited properly, but are publicly
readable, or at least readable by that user.  Filesystem files are
readable by that user.  File *descriptors* without the close-on-exec
flag might possibly do the job with a lot of hacking.

Kragen