On Sat, Dec 08, 2007 at 05:01:27PM -0500, Aaron M. Ucko wrote: > Although this is an interesting idea, I have misgivings about running > even temporarily with any sort of extra privileges; C++ executables in > particular may run a fair bit of code from static objects' > constructors before main() ever starts.
There are no extra privileges; noptrace is intended to be a group that owns no files other than the sgid binaries, can write to none of them, contains no users, is unable to ptrace any other processes that it couldn't already, and doesn't grant privileges to kill any processes that the user couldn't already kill. It's an extra group membership, but where do you see extra privileges here? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
