On Sun, 2006-04-30 at 20:48 +0200, Tom Bachmann wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jonathan S. Shapiro wrote: > > In the absence of setiud, and assuming that parents get to inspect their > > children, how is /sbin/passwd protected? > > > > Not at all. It only accesses data the user is allowed to access. I > explained this in a former mail.
Apparently I did not see it. Here is the essential question: /sbin/passwd requires the authority to write the password database, which the user does not have. So: we must answer (1) how does /sbin/passwd come to hold this authority when the user does not? (2) Given that the running instance of /sbin/passwd is a child of a program owned by the user, what stops the parent program from reading that authority out of the /sbin/passwd running image? I do remember a proposal that we should trust the user's top-level shell. I do not know if it was your proposal, but this is not sufficient unless we somehow guarantee that *only* the top-level shell has the authority to start a copy of /sbin/passwd... shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
