> From: Darren Reed <darrenr_at_cyber.com.au>
>
> I think that the approach being described here is good for chroot'd
> environments and maybe that's all. Out in the big bad world of Unix,
> if I have "uid 0" and I can use cron/crontab, what does it matter if
> I can or can't open /dev/kmem myself ? The cron daemon is not very
> likely to have any restrictions placed upon it and neither is there
> any standard transferral of priviledges you (no longer) have.
>
> If I could mention that yucky Orange Book for a second, were the
> data labelled going into cron/crontab and those programs recognised
> those labels, then perhaps the confinment would be worthwhile.
I would hope that any B-level system out there would extend the labeling
and privileges to the cron/at subsystem. All the ones I have seen do.
paul
---------------------------------------------------------
Paul McNabb Argus Systems Group, Inc.
Vice President and CTO 1809 Woodfield Drive
mcnabb_at_argus-systems.com Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433 "Securing the Future"
---------------------------------------------------------
Received on Nov 17 1997
Intro
