Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Mon, 4 Nov 2002 09:33:44 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Mon, 4 Nov 2002 09:33:44 -0500 Received: from thunk.org ([140.239.227.29]:415 "EHLO thunker.thunk.org") by vger.kernel.org with ESMTP id ; Mon, 4 Nov 2002 09:33:43 -0500 Date: Mon, 4 Nov 2002 09:39:27 -0500 From: "Theodore Ts'o" To: Alexander Viro Cc: Linus Torvalds , Oliver Xymoron , Olaf Dietsche , Dax Kelson , Rusty Russell , linux-kernel@vger.kernel.org, davej@suse.de Subject: Re: Filesystem Capabilities in 2.6? Message-ID: <20021104143927.GB9197@think.thunk.org> Mail-Followup-To: Theodore Ts'o , Alexander Viro , Linus Torvalds , Oliver Xymoron , Olaf Dietsche , Dax Kelson , Rusty Russell , linux-kernel@vger.kernel.org, davej@suse.de References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.28i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1192 Lines: 28 On Sun, Nov 03, 2002 at 01:37:19AM -0500, Alexander Viro wrote: > > In other words, it would actually make perfect sense to have > > > > -r-sr-sr-x 1 nobody mail 451280 Apr 8 2002 /usr/bin/sendmail > > > > mount --bind --capability=chown,bindlow /usr/bin/sendmail /usr/bin/sendmail > > *blam* > > Congratulations with potential crapload of security holes - now anyone > who'd compromised a process running as nobody can chmod the damn thing > and modify it. > > And that is the reason why suid-nonroot is bad. It creates a class of > binaries that can easily give you a root compromise if one of them has > an exploit - even if that one is never run by root. This is solved by some implementations of POSIX capabilities by zapping any capabilities if the executible is modified --- just as some Unix systems zap the setuid bit if the executable is modified. It addresses specifically the problem that you've raised. - Ted - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/