On 05.01.2015 00:40, Jude Nelson wrote:

Hi

>> In VAX/VMS there was a feature that could in theory be useful,
>> though I've never seen it actually used. Fila permissions could
>> forbid the root user from reading the file. This might be useful
>> for dire secrets. Even the sysadmin couldn't back up that file.
>
> I think for some applications (like dealing with medical records), this
> is a legal requirement.

No, certainly not (I'm currently working in than area) - that's just
misinterpretation. Instead you'll need clear access control rules,
mich might have to prevent _operators_ from accessing certain data.
In that case, operators wont have root access.

> On Linux at least, locking a user with CAP_SYS_PTRACE out of a userspace
> filesystem is impossible, since in the extreme the user can always
> ptrace it and override its behavior. In vdev's case, even though it's
> possible to create an ACL that prevents even root from seeing devices
> via the VFS, a privileged user could still get past it. I'll be sure to
> document this--I wouldn't want users to get lulled into a false sense of
> security.

On Unix/Linux, root / pid 0 can do everything, by definition. (not even
capabilities / selinux really can stop this). That's why root only
should be used very rarely (optimally, just for initial system setup).
Unfortunately, most applications and distros aren't made for this yet.
But w/ our current vdev discussions, I'd like to go some further steps
into that direction. (and yes: plan9 has a lot of good concepts, we
should have a closer look at)


cu
--
Enrico Weigelt,
metux IT consulting
+49-151-27565287