[Openicc] GSoC 2013 preparations
Robert Krawitz
rlk at alum.mit.edu
Wed Mar 20 05:36:59 PDT 2013
On Wed, 20 Mar 2013 18:26:27 +1100, Graeme Gill wrote:
> Richard Hughes wrote:
>
>> does not have read permission on the target. As a general permissions
>> issue, daemons are not allowed access to files in /home, and with
>> SELinux are actively blocked from doing so.
>
> But surely this can be fixed - ie., give a specific daemon permission
> to read & monitor a specific file ?
That might not be possible.
Many daemons don't run as root, and in general, the fewer the better for
security purposes (if something doesn't need superuser privs, it
shouldn't have them; if there's one very specific capability it needs,
give it that capability, but don't give it general file access
privileges, which pretty much just opens everything up).
In addition, if the user's home directory is located on remote, secured
storage (e. g. Kerberos-aware NFS), a system daemon, even if running as
local superuser, may not have access to the user's authentication tokens.
--
Robert Krawitz <rlk at alum.mit.edu>
MIT VI-3 1987 - Congrats MIT Engineers 5 straight men's hoops tourney
Tall Clubs International -- http://www.tall.org/ or 1-888-IM-TALL-2
Member of the League for Programming Freedom -- http://ProgFree.org
Project lead for Gutenprint -- http://gimp-print.sourceforge.net
"Linux doesn't dictate how I work, I dictate how Linux works."
--Eric Crampton
More information about the openicc
mailing list