Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.social/users/pid_eins/statuses/111177305026430164">Lennart Poettering (pid_eins@mastodon.social)'s status on Saturday, 07-Oct-2023 22:24:47 JST</a><a href="https://mastodon.social/@pid_eins" title="pid_eins@mastodon.social"><img src="https://gnusocial.jp/avatar/92094-48-20230126121211.webp" width="48" height="48" alt="Lennart Poettering" style="position: absolute; left: 0; top: 0;">Lennart Poettering</a><div><a href="https://mastodon.social/@pid_eins/111177296278117309" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/40873" title="dalias@hachyderm.io">Rich Felker</a></li><li><a href="https://gnusocial.jp/user/136486" title="jamesh@aus.social">James Henstridge</a></li></ul></div></section><article><p><a href="https://hachyderm.io/@dalias">@dalias</a> <a href="https://aus.social/@jamesh">@jamesh</a> <a href="https://metalhead.club/@mariusor">@mariusor</a> and what's even worse. they are permanent: file ownership/ACL entries are persistently made on some inode, and there's no scheme to clean that up again (unless some – brittle – logic cleans this up manually). Moreover if you have access to an inode you basically have access to it forever, just by keeping an fd open. </p><p>UNIX access control works for simple, relatively static, non-interactive cases, but Polkit is precisely supposed to fill the gap where that's not enough.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2137826#notice-4225376">In conversation</a><time datetime="2023-10-07T22:24:47+09:00" title="Saturday, 07-Oct-2023 22:24:47 JST">about a year ago</time> <span>from <span><a href="https://mastodon.social/@pid_eins/111177305026430164" rel="external" title="Sent from mastodon.social via ActivityPub">mastodon.social</a></span></span><a href="https://mastodon.social/@pid_eins/111177305026430164">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Lennart Poettering (pid_eins@mastodon.social)'s status on Saturday, 07-Oct-2023 22:24:47 JSTLennart Poettering
in reply to
@dalias @jamesh @mariusor and what's even worse. they are permanent: file ownership/ACL entries are persistently made on some inode, and there's no scheme to clean that up again (unless some – brittle – logic cleans this up manually). Moreover if you have access to an inode you basically have access to it forever, just by keeping an fd open.
UNIX access control works for simple, relatively static, non-interactive cases, but Polkit is precisely supposed to fill the gap where that's not enough.
In conversationabout a year ago from mastodon.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice