[cap-talk] Capabilities vs. identity/acl - the rub, rub, rub

Trey Boudreau trey at treysoft.com
Wed Nov 22 19:58:56 CST 2006


On Wed, Nov 22, 2006 at 05:29:31PM -0600, Stiegler, Marc D wrote:
> > 
> > 3.  You can look for any process with any of those identities.
> > Any access must come from one of those processes.
> 
> This is a surprising thing to claim that anyone can do in an acl system.
> Are you assuming that everyone is running as sys admin? Certainly, on
> Windows only the sys admin can see all the processes running for all the
> identities. Is Linux more broken than Windows on this matter, so
> everyone can see all the processes I run?
> 
Linux has a directory entry in /proc for every process ID, with user and
group set to the owner of the process, and with "other" permissions set
to r-x.  The files in the individual process directories have more
restrictive permissions.

-- Trey


More information about the cap-talk mailing list