RFC: capability to limit/allow access to various system info

[Marek Habersack]

Hi,

  Lately I've been trying to develop a small utility for users who have only
web/ftp access to their accounts on my server (mail via www and www page
upload via ftp) that would allow them to see what is the status of their
current quotas, number of files, blocks etc. The quota information is
available only for programs running as UID 0, which I won't allow for any
CGI script to run as. But, it ocurred to me that it would be easy to equip
such a process with a capability that allows retrieving such information
about the user. Right now the only capabilities that allow such access to
this kind of information are CAP_SYS_ADMIN and CAP_SYS_RESOURCE. Both of
them are far to powerful as they allow also write access to some areas of
the system configuration. I thought it would be good to have a capability,
say CAP_SYS_INFO, that would allow access to some system information (right
now only quotas and resource limits come to my mind) for non UID0 processes 
I think adding such thing to the kernel wouldn't be too hard, only a
question remains whether it makes sense or not?

marek
------------ próxima parte ------------
A non-text attachment was scrubbed...
Name: no disponible
Type: application/pgp-signature
Size: 240 bytes
Desc: no disponible
URL: <https://lists.srvr.mx/pipermail/ayuda/attachments/20000130/fc04a327/attachment.asc>