Re: AppArmor for Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2007-08-28 at 08:36 -0400, Robert Locke wrote:
> /etc/passwd has always been "universally" readable.  As a quick
> example, note your use of "ll" which is really "ls -l" and the fact
> that the third and fourth columns are displaying "names" of the user
> and group associated with that file.  The reality is that the "names"
> are not stored on disk, but rather their numeric representation: uid
> and gid. In order for the ls command to display a name, it needs to
> "look up" the user's name associated with the uid it got from the
> filesystem.  Where is this "mapping" of uid and username kept?
> Yep, /etc/passed. 

Though, I would have thought that the safest way to do that, would not
be for applications to directly read the file, but to query the system,
and the system read that file.

Much the same as how name look-ups are done.  You ask the resolver,
which looks at a hosts file or uses a DNS server.  You don't have each
application doing that role.

I don't know how Linux does it, but in other systems, it is possible for
an application to open some file exclusively, and until its done with
it, nothing else can even read it.  The potential for an application to
do such a dastardly thing with an important file would be a reason to
not directly use the files, as a matter of policy.

-- 
[tim@bigblack ~]$ uname -ipr
2.6.22.1-41.fc7 i686 i386

Using FC 4, 5, 6 & 7, plus CentOS 5.  Today, it's FC7.

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux