[Zope] OT: Unix Permissions (was Re: [Zope] Starting Zope)

Bill Anderson bill@libc.org
Mon, 31 Jul 2000 20:14:35 -0600


Cary O'Brien wrote:

[...]

> > in your case is the fact that you mention your trust on users(humans are
> > the most easy to compromise, however that argument is a bit OT). However,
> > do you trust all of your webserver code? Do you trust your cgi-bin
> > scripts and applications? And by trust I not only mean harmful intent by
> > the authors of software, but unintentional bugs which can be exploited,
> > and will be given the privilege to bind to <1024 ports even when they run
> > as a user with least privileges.
> >
> 
> My revised thinking is that the patch should only lift the restriction
> for just the necessary ports.
> 
> Another idea is to do it with groups, say let group n be a "net-privileged" group.


And yet another (and perhaps the better) is to look into the ACL support work being done
atthe kernel level. You can search the Linux Kernel mailing list archives for further
details. Note: this is not production work, last I heard.

Then again, neither is modifying the kenrel in non-standard ways ;^)


--
Do not meddle in the affairs of sysadmins, for they are easy to annoy,
and have the root password.