[NT ACLS] Using the security.* namespace for NTACL considered improper

[simo]

On Wed, 2010-01-20 at 17:00 +0100, Stefan (metze) Metzmacher wrote:
>    Extended security attributes
>        The  security  attribute  namespace  is  used  by kernel
> security
> modules, such as Security Enhanced
>        Linux.  Read and write access permissions to security
> attributes
> depend on  the  policy  implemented
>        for  each  security  attribute  by the security module.  When
> no
> security module is loaded, all pro‐
>        cesses have read access to extended security attributes, and
> write access is  limited  to  processes
>        that have the CAP_SYS_ADMIN capability.
> 
> CAP_SYS_ADMIN is only needed for writing not reading and that is the
> difference between security. and trusted.

Yes, every time we need to write the ACLs, at the moment, we need to use
become_root(), but we don't really need to be uid 0 to write. All we
need is to have CAP_SYS_ADMIN.

What I am saying is that unless retaining CAP_SYS_ADMIN has unintended
consequences in other parts of the code, we could get rid of the need to
call become_root() to write ACLs (or to read them if they were moved to
trusted.*, which won't happen at the moment).

become_root() comes with a cost and a risk, so removing it, where
possible looks like a very good idea.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>