Message-ID: <20060819170834.17845.qmail@web36603.mail.mud.yahoo.com>
Date: Sat, 19 Aug 2006 10:08:34 -0700 (PDT)
From: Casey Schaufler <casey@schaufler-ca.com>
Reply-To: casey@schaufler-ca.com
Subject: Re: [RFC] [PATCH] file posix capabilities
To: Crispin Cowan <crispin@novell.com>
Cc: lkml <linux-kernel@vger.kernel.org>, linux-security-module@vger.kernel.org
In-Reply-To: <44E6714C.3090707@novell.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1135
Lines: 38


--- Crispin Cowan <crispin@novell.com> wrote:

> >  At least some of the Linux capabilities lend
> themselves to easy
> > privilege escalation to gaining other capabilities
> or effectively
> > bypassing them.
> >   
> Certainly; cap_sys_admin effectively gives you
> ownership of the machine.
> But that is fundamental to the POSIX Capabilities
> model, and not
> something that Serge can change.

In turn it is fundamental to the curious
granularity of privileged operations in Unix.

I maintain that the real value in the POSIX
capability model derives from seperating the
permission to violate policy from the UID.

Granularity of such privilege is a bonus, and
a matter of considerable debate. DGUX ended
up with over 330 distinct capabilities, while
Irix had (last I looked) 24, and Solaris
came in somewhere between. All these systems
work.


Casey Schaufler
casey@schaufler-ca.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/