From: Johannes Weiner <hannes@saeurebad.de>
To: Markku Savela <msa@moth.iki.fi>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Radical idea? Remove all automatic privilege escalation base on executable file attributes!
References: <87abfn94rs.fsf@burp.tkv.asdf.org>
Date: Fri, 08 Aug 2008 13:00:55 +0200
In-Reply-To: <87abfn94rs.fsf@burp.tkv.asdf.org> (Markku Savela's message of
	"Fri, 08 Aug 2008 13:31:51 +0300")
Message-ID: <877iar4vq0.fsf@skyscraper.fehenstaub.lan>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1068
Lines: 31

Hi,

Markku Savela <msa@moth.iki.fi> writes:

> That is, remove
>
>  - setuid/setgid feature from Linux
>
>  - cancel the capability attributes in files (or only only allow
>    downgrading of capabilities)
>
> (e.g. mount everything as nosuid or something, but eventually, the
> code could be removed from the kernel)
>
> The only way to escalate privileges would be to request starting of
> the executable by some daemon (like upstart), which would grant or
> deny the request based totally on some user space policies.

Let's just hope then that this central facility is not buggy itself.
Because if that would be the only way to acquire privileges as
non-priviledged user, it is likely that every machine runs it.

Opposed to a bug in one setuid program that not everyone is even
garuanteed to have installed.

	Hannes
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/