Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Sun, 3 Nov 2002 00:45:40 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Sun, 3 Nov 2002 00:45:39 -0500 Received: from neon-gw-l3.transmeta.com ([63.209.4.196]:44048 "EHLO neon-gw.transmeta.com") by vger.kernel.org with ESMTP id ; Sun, 3 Nov 2002 00:45:39 -0500 Date: Sat, 2 Nov 2002 21:52:08 -0800 (PST) From: Linus Torvalds To: Oliver Xymoron cc: Alexander Viro , Olaf Dietsche , "Theodore Ts'o" , Dax Kelson , Rusty Russell , , Subject: Re: Filesystem Capabilities in 2.6? In-Reply-To: <20021103050344.GF18884@waste.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1622 Lines: 40 On Sat, 2 Nov 2002, Oliver Xymoron wrote: > > Yes, but this has annoying side effects like booting single-user and > discovering things like /sbin/ping doesn't exist because mount -a > didn't run yet. No, /sbin/ping _would_ exist, it just wouldn't have gotten the elevated capabilities yet. But that shouldn't matter in single-user mode, since it doesn't _need_ any elevated capabilities (unless you've somehow made your single-user mode run as a normal user - that's really secure, but you can't do anything with it ;) [ In general the schenario you bring up is actually a good thing: a failure mode would fail with _less_ provileges rather than more. Which on the whole is exactly what you want - failure to initialize something should not leave nasty security holes around. ] On the other hand, I have this suspicion that the most secure setup is one that the sysadmin is _used_ to, and knows all the pitfalls of. Which obviously is a big argument for just maintaining the status quo with suid binaries. We have decades of knowledge on how to minimize the negative impact of suid (I've used sendmail as an example of a suid program, and yet last I looked sendmail was actually pretty careful about dropping all unnecessary privileges very early on). And as Al points out, new security features don't mean that you can just stop being careful. Linus - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/