Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751559AbWIGXAp (ORCPT ); Thu, 7 Sep 2006 19:00:45 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1422633AbWIGXAp (ORCPT ); Thu, 7 Sep 2006 19:00:45 -0400 Received: from gprs189-60.eurotel.cz ([160.218.189.60]:62412 "EHLO amd.ucw.cz") by vger.kernel.org with ESMTP id S1751634AbWIGXAo (ORCPT ); Thu, 7 Sep 2006 19:00:44 -0400 Date: Fri, 8 Sep 2006 01:00:28 +0200 From: Pavel Machek To: Bernd Eckenfels Cc: linux-kernel@vger.kernel.org Subject: Re: patch to make Linux capabilities into something useful (v 0.3.1) Message-ID: <20060907230028.GB30916@elf.ucw.cz> References: <20060907173449.GA24013@clipper.ens.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Warning: Reading this can be dangerous to your mental health. User-Agent: Mutt/1.5.11+cvs20060126 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1485 Lines: 35 On Thu 2006-09-07 21:38:43, Bernd Eckenfels wrote: > In article <20060907173449.GA24013@clipper.ens.fr> you wrote: > > They wouldn't have to be marked: capabilities are inherited by > > default, with my patch (as is the Unix tradition: euid=0 or {r,s}uid=0 > > are preserved upon execve()), normal processes have CAP_FORK and just > > pass it on if you don't do something special to remove it. > > The Problem with that is, that a program can be started with some priveldges > without knowing it. Traditional programs only check for uid=0 and in that > case refuse to do some things. A program might not expect to be able to do a > priveldged action with not being uid=0. But that is not a problem. If attacker already has priviledge foo, he can just go use it. He does not have to exec() poor program not expecting to get priviledge foo, then abusing it. ...actually... ...what you say is a problem. You are right that capabilities should be "sanitized" on every exec of suid/sgid program (not only suid root). Sanitized here means "all regular capabilities set, all others cleared". Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/