PERFORCE change 148378 for review
Robert Watson
rwatson at FreeBSD.org
Mon Aug 25 13:47:39 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=148378
Change 148378 by rwatson at rwatson_fledge on 2008/08/25 13:47:16
Continue general rename of capabilities -> privileges to prepare
to put up pages on both the 8.x privileges project and the new
capabilities project.
Affected files ...
.. //depot/projects/trustedbsd/www/components.page#10 edit
.. //depot/projects/trustedbsd/www/developers.dev#3 edit
.. //depot/projects/trustedbsd/www/mailinglists.page#4 edit
.. //depot/projects/trustedbsd/www/privileges.page#2 edit
.. //depot/projects/trustedbsd/www/sidebar.xml#11 edit
Differences ...
==== //depot/projects/trustedbsd/www/components.page#10 (text+ko) ====
@@ -37,7 +37,7 @@
<cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0">
<cvs:keyword name="freebsd">
- $P4: //depot/projects/trustedbsd/www/components.page#9 $
+ $P4: //depot/projects/trustedbsd/www/components.page#10 $
</cvs:keyword>
</cvs:keywords>
@@ -71,7 +71,7 @@
instructions on the mailing lists page. This provides access
to CVS and Perforce commit messages associated with development
occuring in the TrustedBSD development trees, including the
- Base (vendor) branch, Capabilities branch, Audit branch, MAC
+ Base (vendor) branch, Privileges branch, Audit branch, MAC
branch, SEBSD branch, and SEDarwin branch.</p>
<p>There are seven main branches of TrustedBSD development:</p>
@@ -133,7 +133,7 @@
processes to tag files with arbitrary named data. This
provides a location to store the extensive security data
required for the various TrustedBSD security extensions,
- including ACLs, capabilities and MAC labels. Extended
+ including ACLs, privileges and MAC labels. Extended
attribute support has been developed for FreeBSD's UFS1
file system and integrated with the FreeBSD development
tree, and was included in FreeBSD 5.0. UFS2 was
@@ -144,29 +144,6 @@
functionality.</p>
</dd>
- <a name="capabilities" />
- <dt><p>Fine-Grained Capabilities</p></dt>
-
- <dd>
- <p>
- <span id="collection-label">Collection:</span>
-
- <span id="cvsup-collection">p4-cvs-trustedbsd-cap</span>
- </p>
-
- <p>Capabilities provide support for fine-grained process
- capabilities to authorize non-root processes to access
- privileged system resources, reducing requirements for a
- superuser account, and reducing risk in the event of
- compromise. The capabilities development branch is
- largely complete, but is based on an older FreeBSD
- 5.0-CURRENT snapshot. Elements of this implementation
- are being updated for FreeBSD 5.2 and are available as
- part of the SEBSD version of the TrustedBSD MAC Framework.
- For more information, see the <a href="cap.html">Capability
- Page</a>.</p>
- </dd>
-
<a name="geom" />
<dt><p>GEOM</p></dt>
@@ -216,6 +193,37 @@
Project.</p>
</dd>
+ <a name="privileges" />
+ <dt><p>Fine-Grained Privileges</p></dt>
+
+ <dd>
+ <p>
+ <span id="collection-label">Collection:</span>
+
+ <span id="cvsup-collection">p4-cvs-trustedbsd-cap</span>
+ </p>
+
+ <p>NB: Historically this project was referred to as fine-grained
+ capabilities, but due to a vocabulary conflict, it has been
+ renamed to fine-grained privileges. Information in this
+ section and on the privileges page currently refers to a
+ FreeBSD 5.x-era project to support fine-grained privileges,
+ and will shortly be superseded by a similar project for
+ FreeBSD 8.x.</p>
+
+ <p>Privileges provide support for fine-grained process
+ privileges to authorize non-root processes to access
+ privileged system resources, reducing requirements for a
+ superuser account, and reducing risk in the event of
+ compromise. The privileges development branch is
+ largely complete, but is based on an older FreeBSD
+ 5.0-CURRENT snapshot. Elements of this implementation
+ are being updated for FreeBSD 5.2 and are available as
+ part of the SEBSD version of the TrustedBSD MAC Framework.
+ For more information, see the <a href="privileges.html">
+ Privileges Page</a>.</p>
+ </dd>
+
<a name="sebsd" />
<dt><p>Security-Enhanced BSD (SEBSD)</p></dt>
==== //depot/projects/trustedbsd/www/developers.dev#3 (text+ko) ====
@@ -33,7 +33,7 @@
<developers>
<cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0">
<cvs:keyword name="freebsd">
- $P4: //depot/projects/trustedbsd/www/developers.dev#2 $
+ $P4: //depot/projects/trustedbsd/www/developers.dev#3 $
</cvs:keyword>
</cvs:keywords>
@@ -61,13 +61,13 @@
<firstname>Ilmar</firstname> <surname>Habibulin</surname>
<email>ilmar at watson.org</email>
<url>http://www.watson.org/~ilmar/</url>
- <area>Capabilities, Mandatory Access Control</area>
+ <area>Privileges, Mandatory Access Control</area>
</entry>
<entry>
<firstname>Thomas</firstname> <surname>Moestl</surname>
<email>tmm at FreeBSD.org</email>
- <area>Capabilities</area>
+ <area>Privileges</area>
</entry>
<entry>
@@ -86,7 +86,7 @@
<entry>
<firstname>Andrew</firstname> <surname>Reisse</surname>
<email>Andrew.Reisse at sparta.com</email>
- <area>SEDarwin, Capabilities</area>
+ <area>SEDarwin, Privileges</area>
</entry>
<entry>
==== //depot/projects/trustedbsd/www/mailinglists.page#4 (text+ko) ====
@@ -37,7 +37,7 @@
<cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0">
<cvs:keyword name="freebsd">
- $P4: //depot/projects/trustedbsd/www/mailinglists.page#3 $
+ $P4: //depot/projects/trustedbsd/www/mailinglists.page#4 $
</cvs:keyword>
</cvs:keywords>
@@ -115,7 +115,7 @@
<html>
<p>POSIX.1e, the now-withdrawn POSIX draft defining interfaces for
operating system security extensions, continues to play an important
- role in offering standard interfaces for ACLs, Capabilities, and to
+ role in offering standard interfaces for ACLs, Privileges, and to
a limited extent other services. The POSIX.1e mailing list provides
a cross-platform forum for the discussion of the draft, as well as
practical implementation and portability issues. More information on
==== //depot/projects/trustedbsd/www/privileges.page#2 (text+ko) ====
@@ -25,16 +25,16 @@
-->
<page role="components">
- <title>TrustedBSD POSIX.1e Capabilities</title>
+ <title>TrustedBSD POSIX.1e Privileges</title>
<cvs:keywords xmlns:cvs="http://www.FreeBSD.org/XML/CVS" version="1.0">
<cvs:keyword name="freebsd">
- $P4: //depot/projects/trustedbsd/www/privileges.page#1 $
+ $P4: //depot/projects/trustedbsd/www/privileges.page#2 $
</cvs:keyword>
</cvs:keywords>
<section>
- <title>TrustedBSD POSIX.1e Capabilities</title>
+ <title>TrustedBSD POSIX.1e Privileges</title>
<html>
<p>
@@ -46,15 +46,16 @@
<span id="cvsup-collection">p4-cvs-trustedbsd-cap</span>
</p>
- <p>POSIX.1e breaks root privilege into a set of capabilities, or
- more strictly, privileges, which allow the granting of specific
- privilege requirements for POSIX calls, such as setuid().
+ <p>POSIX.1e breaks root privilege into a set of privileges
+ (historically referred to as "Capabilities"), which allow the
+ granting of specific privilege requirements for POSIX calls, such
+ as setuid().
POSIX.1e defines extension to process and file state to allow
privileges to be granted to processes, either by inheritence or
a file privilege model similar to setuid/setgid.</p>
- <p>The TrustedBSD capability project is currently inactive, but an
- implementation of POSIX.1e capabilities for an older FreeBSD release
+ <p>The TrustedBSD privileges project is currently inactive, but an
+ implementation of POSIX.1e privileges for an older FreeBSD release
is available and functional, and may be found in Perforce/cvsup.
Certain key files are provided in a tarball for download on this
page.</p>
@@ -70,17 +71,17 @@
sufficient future growth in privileges, or further fine-graining.</p>
<p>Up-to-date versions of the kernel API changes to perform
- fine-grained privilege checking, without the capability model
+ fine-grained privilege checking, without the privilege model
itself, may be found in the <a href="sebsd.html">SEBSD branch</a>,
and include modifications to the TrustedBSD MAC Framework to allow
MAC modules to deny privilege based on the POSIX.1e privilege
categories.</p>
- <p>2006-03-26 FreeBSD 5.0 POSIX.1e capability reference files
+ <p>2006-03-26 FreeBSD 5.0 POSIX.1e privileges reference files
snapshot. These are reference BSD-licensed POSIX.1e privilege
files derived from an early TrustedBSD implementation, and do
- not represent a complete or supported implementation.
- <a href="downloads/20060326-cap.tgz">Download</a>.</p>
+ not represent a complete or supported implementation. Download
+ <a href="downloads/20060326-cap.tgz">20060326-cap.tgz</a> (60K).</p>
</html>
</section>
==== //depot/projects/trustedbsd/www/sidebar.xml#11 (text+ko) ====
@@ -7,11 +7,11 @@
<li><a href="audit.html">Audit</a></li>
<li><a href="bsmtrace.html">BSMtrace</a></li>
<li><a href="components.html#eas">Extended Attributes and UFS2</a></li>
- <li><a href="cap.html">Capabilities</a></li>
<li><a href="components.html#geom">GEOM</a></li>
<li><a href="mac.html">MAC</a></li>
<li><a href="openbsm.html">OpenBSM</a></li>
<li><a href="components.html#openpam">OpenPAM</a></li>
+ <li><a href="privileges.html">Privileges</a></li>
<li><a href="sebsd.html">SEBSD</a></li>
<li><a href="sedarwin.html">SEDarwin</a></li>
</ul>
@@ -24,11 +24,11 @@
<li><a href="audit.html">Audit</a></li>
<li><a href="bsmtrace.html">BSMtrace</a></li>
<li><a href="components.html#eas">Extended Attributes and UFS2</a></li>
- <li><a href="cap.html">Capabilities</a></li>
<li><a href="components.html#geom">GEOM</a></li>
<li><a href="mac.html">MAC</a></li>
<li><a href="openbsm.html">OpenBSM</a></li>
<li><a href="components.html#openpam">OpenPAM</a></li>
+ <li><a href="privileges.html">Privileges</a></li>
<li><a href="sebsd.html">SEBSD</a></li>
<li><a href="sedarwin.html">SEDarwin</a></li>
</ul>
More information about the p4-projects
mailing list