Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Thu, 17 Oct 2002 08:14:59 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Thu, 17 Oct 2002 08:14:59 -0400 Received: from thunk.org ([140.239.227.29]:30674 "EHLO thunker.thunk.org") by vger.kernel.org with ESMTP id ; Thu, 17 Oct 2002 08:14:58 -0400 Date: Thu, 17 Oct 2002 08:20:56 -0400 From: "Theodore Ts'o" To: linux-kernel@vger.kernel.org Subject: Re: Posix capabilities Message-ID: <20021017122056.GB13573@think.thunk.org> Mail-Followup-To: Theodore Ts'o , linux-kernel@vger.kernel.org References: <20021016154459.GA982@TK150122.tuwien.teleweb.at> <20021017032619.GA11954@think.thunk.org> <20021017120526.GC6014@TK150122.tuwien.teleweb.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021017120526.GC6014@TK150122.tuwien.teleweb.at> User-Agent: Mutt/1.3.28i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1847 Lines: 35 On Thu, Oct 17, 2002 at 02:05:26PM +0200, Stefan Schwandter wrote: > Ah, ok... I thought that things work like this: the capabilities support > already is in the kernel, and to give an app a particular capability, > one has to add a particalar extended attribute to the application > executable. So I'm wrong here it seems? First of all, you can't use a standard user extended attribute, since anyone with write access to the file will be allowed to set the extended attribute. This isn't good if you're going to be granting root-privileged capabilities to executables! So what would be needed is code to set and get a special system xattr (much like the POSIX ACL patches do) that is specifically set up for capabilities, and with appropriate authorization access checks when setting the capability xattr. In order to do that, we would have to decide on the actual on-disk format encoding for capabilities (and one which hopefully is extensible so that when additional capabilities are added in the future, existing filesystems with capability attributes remain backwards compatible). Finally, the ELF loader would have be modified to read the capability extended attribute from the executable, decode the xattr, and then set the capability masks appropriately. The code which I posted is a prerequisite for the above work, yes. It's just that there's quite a bit of additional work that would be necessary. (And this is all aside from the question about whether or not it's a good idea for most system administrators to attempt to use such a system once it was fully implemented.) - Ted - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/