[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Groups in the alternative user solution

To: gyurdiev@xxxxxxxxxx
Subject: Re: Groups in the alternative user solution
From: Stephen Smalley <sds@xxxxxxxxxxxxx>
Date: Thu, 30 Jun 2005 09:46:07 -0400
Cc: casey@xxxxxxxxxxxxxxxx, kmacmillan@xxxxxxxxxx, selinux@xxxxxxxxxxxxx
In-reply-to: <1120138022.32561.12.camel@xxxxxxxxxxxxxxxxxxxxxxxxx>
Organization: National Security Agency
References: <1119980076.4806.23.camel@xxxxxxxxxxxxxxxxxxxxxxxxx> <1119987846.22225.222.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1119988230.7417.6.camel@xxxxxxxxxxxxxxxxxxxxxxxxx> <1120055713.3553.105.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1120057525.17121.23.camel@xxxxxxxxxxxxxxxxxxxxxxxxx> <1120059525.3553.137.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1120138022.32561.12.camel@xxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx

On Thu, 2005-06-30 at 09:27 -0400, Ivan Gyurdiev wrote:
> What about Casey's suggestion in this thread:
> 
> > 
> >     root:*:sysadm
> >     fred:wheel:wand
> >     *:wheel:staff
> >     *:*:normal
> > 
> > Fred would be in "wand" if only in group wheel,
> > in "normal" if in groups wheel and dev. Fun.
> 
> Not sure I understand... 
> So if Fred is in more groups other than wheel, 
> he maps to normal? What's the rationale for that?

I didn't understand the reasoning there either, particularly as we
aren't dealing with the effective GID but the entire authorized group
list for the user since we are only doing this once at login/su time.

> Controlling information disclosure? Does that * 
> take precedence to fred? What about conflicts? 
> This seems complicated..

I was originally thinking more along the lines of just selecting the
first matching entry (order-dependent), and group match just required
membership in the listed group, not an exact match (if you are going to
support group-based matching).

-- 
Stephen Smalley
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: Groups in the alternative user solution
  - From: Casey Schaufler

References:
- Groups in the alternative user solution
  - From: Ivan Gyurdiev
- Re: Groups in the alternative user solution
  - From: Stephen Smalley
- Re: Groups in the alternative user solution
  - From: Ivan Gyurdiev
- Re: Groups in the alternative user solution
  - From: Stephen Smalley
- Re: Groups in the alternative user solution
  - From: Ivan Gyurdiev
- Re: Groups in the alternative user solution
  - From: Stephen Smalley
- Re: Groups in the alternative user solution
  - From: Ivan Gyurdiev

Prev by Date: Re: Groups in the alternative user solution
Next by Date: Re: file contexts and modularity
Previous by thread: Re: Groups in the alternative user solution
Next by thread: Re: Groups in the alternative user solution
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.