Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Aug 2011 15:22:46 +0400
From: Solar Designer <>
Subject: Re: procfs {tid,tgid,attr}_allowed mount options

On Wed, Aug 10, 2011 at 02:02:27PM +0400, Vasiliy Kulikov wrote:
> One question: do we really need gid= option?  The only user I know is
> identd, but does anybody use it nowadays?

identd is mostly obsolete, but I am using gid= with 2.4.x-ow kernels to
let a group of sysadmins see all users' processes and network
connections without having to use su.  In fact, I use it on my very own
computers - again, to let my main desktop user account see everything,
while not letting my pseudo-user accounts (that I use for things such as
a web browser) also see everything (they're not in group proc).

> With gid= I see 2 drawbacks:
> 1) Code becomes worse because of additional permission checks.
> 2) From the upstream's point of view it is very limited and unextendable
> feature.

This feature is precisely what I needed and used for over a decade.
I never needed more flexibility.  Maybe this says something.

> So, I'd go further without gid=, at least for the beginning.

I don't know what works best for upstream acceptance in the beginning,
but I definitely want this feature to get in, and it is a must for Owl.



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.