[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv



George Dunlap writes ("Re: [PATCH 5/5] RFC: test/depriv: Add a tool to check 
process-level depriv"):
> Oh, actually, 65534 is "nogroup", which is the default when you don't
> add a specific group.
> 
> Should we recommend creating a separate group for the Xen qemus in our
> feature doc?  Or should we just mention the possibility, but leave the
> actual example to the default (which will normally end up with the
> `nogroup` group)?

`nogroup' isn't as big a problem in general as `nobody'.  (No
processes may ever run as nobody because to avoid unintendedly
permitting access, such a non-id must either have no principals or no
objects, and a process running with a particular uid is both; whereas
running as a particular group does not turn a process into an object
accessible via that group.)

But it's still probably best avoided in case of mistakes.  Also
assigning a group to all the qemus may make some kinds of
configuration applicable to all of them easier.

So I think we should recommend creating one group for this.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.