Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Tue, 5 Nov 2002 18:56:09 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Tue, 5 Nov 2002 18:55:07 -0500 Received: from tmr-02.dsl.thebiz.net ([216.238.38.204]:36361 "EHLO gatekeeper.tmr.com") by vger.kernel.org with ESMTP id ; Tue, 5 Nov 2002 18:54:46 -0500 Date: Tue, 5 Nov 2002 19:00:37 -0500 (EST) From: Bill Davidsen To: "Albert D. Cahalan" cc: Linux Kernel Mailing List , olaf.dietsche#list.linux-kernel@t-online.de Subject: Re: Filesystem Capabilities in 2.6? In-Reply-To: <200211030031.gA30V8a505209@saturn.cs.uml.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1795 Lines: 39 On Sat, 2 Nov 2002, Albert D. Cahalan wrote: > > I have to wonder, just how many setuid executables do people have? > Implementing filesystem capability bits in ramfs or tmpfs might do > the job. At boot, initramfs stuff puts a few trusted executables > in /trusted and sets the capability bits. Then "mount --bind" to > put /trusted/su over an empty /bin/su file, or use symlinks. It's more useful that you might at first think, in terms of applications. If I have an app I want to make available to a limited group, currently I can portably make the file setuid to app-owner, then group but not world executable, and the people in the group can have access. The app might be a database, usenet news, mail system spam filter, whatever. ACLs work, but are not widely portable at the moment (if ever). > One might as well make "nosuid" the default then, and mount the > root filesystem that way. It's not as if a system needs to have > gigabytes of setuid executables. Well, my point here is not that you can't do this, but that normal users may have legitimate reasons for doing this, and that it's desirable to avoid having to remount the filesystem to reload some setuid file list. I would think a mount option which blocks setuid on root owned files and files which are world writable would be useful. That would allow the mounting of applications, which people in practice do, without compromising the whole system. -- bill davidsen CTO, TMR Associates, Inc Doing interesting things with little computers since 1979. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/