Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759520AbXJYKXd (ORCPT ); Thu, 25 Oct 2007 06:23:33 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1755875AbXJYKXZ (ORCPT ); Thu, 25 Oct 2007 06:23:25 -0400 Received: from turing-police.cc.vt.edu ([128.173.14.107]:51811 "EHLO turing-police.cc.vt.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755773AbXJYKXY (ORCPT ); Thu, 25 Oct 2007 06:23:24 -0400 X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.2 To: "Serge E. Hallyn" Cc: Jan Engelhardt , Giacomo Catenazzi , Linus Torvalds , Andreas Gruenbacher , Thomas Fricaccia , Linux Kernel Mailing List , James Morris Subject: Re: LSM conversion to static interface In-Reply-To: Your message of "Tue, 23 Oct 2007 10:34:09 CDT." <20071023153409.GA14215@vino.hallyn.com> From: Valdis.Kletnieks@vt.edu References: <167451.96128.qm@web38607.mail.mud.yahoo.com> <200710192226.53233.agruen@suse.de> <471D8A4C.3020101@debian.org> <20071023152005.GA13767@vino.hallyn.com> <20071023153409.GA14215@vino.hallyn.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1193307789_2831P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 25 Oct 2007 06:23:09 -0400 Message-ID: <5541.1193307789@turing-police.cc.vt.edu> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1533 Lines: 39 --==_Exmh_1193307789_2831P Content-Type: text/plain; charset=us-ascii On Tue, 23 Oct 2007 10:34:09 CDT, "Serge E. Hallyn" said: > And he will still be able to *run* the suid binary, but if cap_bound is > reduced he won't be able to use capabilities taken out of the bounding > set, multiadm loaded or not. I am willing to bet that there's still a *lot* of unaudited set[ug]id code out there that's vulnerable to the same sorts of attacks as the one that hit Sendmail a few back. As such, I have to agree with your original post of the patch that CAP_SYS_ADMIN should be required to lower the set, as there's just too much danger of an exploit if users can create their own reduced-set processes. I'm debating whether we should have a printk if we detect that a removed capability caused an -EPERM. Yes, it can be used to spam the logs. On the other hand, I as the sysadmin would like to know if it's happening. Looks like time for a sysctl or something.... --==_Exmh_1193307789_2831P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFHIG6NcC3lWbTT17ARAga4AJ9tP5AhJ0tcET6g1JWjes8ADhk/YwCfTSic 75TqSZsB72Dk4mE9DaxuJBA= =SSEX -----END PGP SIGNATURE----- --==_Exmh_1193307789_2831P-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/