"Andy Glew" <firstname.lastname@example.org> writes:
>> > What's to stop a buggy web server from writing over files it's only
>> > supposed to serve, for example?
>> Read only access, maybe?
>> My Apache processes are running under a user role that does not allow
>> them to overwrite the files they are serving.
>That's the way to go - or, capabilities.
Full ack. When designing production Unix systems (Linux, in fact),
it is a good idea to have at least the network visible parts
running A) under their own uid, B) chrooted, if possible,
and C) with everything you can get away with being readonly.
>Whatever, the access control must be made lighterweight and
>not dependent on sysadmin/IT. I just set up a wiki server,
>and am tied in knots because sysadmins don't want to
>give me a new userid or groupid, so that I can properly
>restrict the server.
Shoot that admin. He does not honor security. It's a clear
sign of bad administration when people _request_ a proper
security related separation, and are denied due to lazyness.
It does not help a bit if that lazyness is codified as policy.
>Creation of new "user roles" should not require sysadmin
>intervention. It should be possible for any user role to create
>a subrole with a subset of capabilities.
A nice experimental OS I read about, which had that as one of its
main points, is Andrew Valencia's VSTA. See the capability papers at
>Administering your own machine, whether physical or virtual,
>might amount to the same thing.
Exactly. Regarding the "virtual" bit, another project worth looking
at, which is actively developed (though a bit off the normal Linux
development track), can be found at
That's an attempt at making Linux virtual at the syscall level,
giving the possibility to have whole different Linux distributions
running, private init process and all. Both the visible processes,
and the visible networking setup (netstat, IP address binding, also
its implicit wildcard forms) are properly virtualized.
We start to build production web farm systems, inhouse, using this