Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 18 Oct 2002 12:08:09 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 18 Oct 2002 12:08:09 -0400 Received: from users.linvision.com ([62.58.92.114]:62346 "EHLO abraracourcix.bitwizard.nl") by vger.kernel.org with ESMTP id ; Fri, 18 Oct 2002 12:08:07 -0400 Date: Fri, 18 Oct 2002 18:13:56 +0200 From: Rogier Wolff To: "Theodore Ts'o" , Andreas Gruenbacher , Olaf Dietsche , linux-kernel@vger.kernel.org Subject: Re: Posix capabilities Message-ID: <20021018181356.A1664@bitwizard.nl> References: <20021016154459.GA982@TK150122.tuwien.teleweb.at> <20021017032619.GA11954@think.thunk.org> <874rblcpw5.fsf@goat.bogus.local> <200210171302.25413.agruen@suse.de> <20021017121213.GA13573@think.thunk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021017121213.GA13573@think.thunk.org> User-Agent: Mutt/1.3.22.1i Organization: BitWizard.nl Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2281 Lines: 49 On Thu, Oct 17, 2002 at 08:12:13AM -0400, Theodore Ts'o wrote: > On Thu, Oct 17, 2002 at 01:02:25PM +0200, Andreas Gruenbacher wrote: > > Filesystem capabilities move complexity out of applications into the > > file system (=system configuration), so the admins have to deal with > > an additional task. > > > > From a security point of view suid root applications that are > > dropping capabilities voluntarily aren't much different from plain > > old suid root apps; there may still be exploitable bugs before the > > code that drops capabilities (which doesn't mean that apps shouldn't > > drop capabilities). With capabilities the kernel ensures that > > applications cannot exceed their capabilities. > > If developers drop capabilities they don't need as the very first > thing that the program does --- i.e., the first statement in main() > --- then it's done once, and it's no longer a configuration issue. I'm a C-programmer. I've looked at C++ a long time ago. Turns out that my system also supports C++. I still don't care. Turns out that C++ specifies that some code should be run before main starts. It seems that if I happen to link with a library that uses C++ internally, some code in that library can get run before my first statement in main. Suddenly it IS my problem. NOT GOOD. If capabilities are correctly implemented, having "all" capabilities will mean that it's equivalent to "setuid-root". Nothing worse than what we have now. I can currently decide to take the setuid-ness of mount away. I can currently decide to install a setuid bit on "lilo". That is the flexibility of having it in the filesystem. Roger. -- ** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998 ** *-- BitWizard writes Linux device drivers for any device you may have! --* * The Worlds Ecosystem is a stable system. Stable systems may experience * * excursions from the stable situation. We are currenyly in such an * * excursion: The stable situation does not include humans. *************** - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/