Jeffrey Hutzelman <[EMAIL PROTECTED]> writes: > Personally, I don't consider the inability to go back to the default > UID pag to be a deliberate feature; it's just a side-effect of the way > we implement PAG's (by making it so that setgroups always preserves a > PAG) combined with the lack of any sort of switch-to-this-PAG > operation. > Love said: "convince me that dropping it doesn't introduce security problems".
If default PAGs are by uid, it might be possible to use root's PAG after saying "default, please" and calling smth setuid. If the default is PAM managed somehow, that's not a problem, and we end up with a proper jail? Do we want the switch-to-this-PAG thing? /Tomas _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
