Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752991AbZL2WQf (ORCPT ); Tue, 29 Dec 2009 17:16:35 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752351AbZL2WQd (ORCPT ); Tue, 29 Dec 2009 17:16:33 -0500 Received: from e32.co.us.ibm.com ([32.97.110.150]:50520 "EHLO e32.co.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752279AbZL2WQc (ORCPT ); Tue, 29 Dec 2009 17:16:32 -0500 Date: Tue, 29 Dec 2009 16:16:28 -0600 From: "Serge E. Hallyn" To: Valdis.Kletnieks@vt.edu Cc: Bryan Donlan , "Eric W. Biederman" , Michael Stone , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , Bernie Innocenti , Mark Seaborn , Randy Dunlap , =?iso-8859-1?Q?Am=E9rico?= Wang , Tetsuo Handa , Samir Bellabes , Casey Schaufler , Pavel Machek , Al Viro Subject: Re: RFC: disablenetwork facility. (v4) Message-ID: <20091229221628.GA22578@us.ibm.com> References: <20091229050114.GC14362@heat> <20091229151146.GA32153@us.ibm.com> <3e8340490912290805s103fb789y13acea4a84669b20@mail.gmail.com> <20091229163939.GA6984@us.ibm.com> <3e8340490912290901y60d7daf2w5778c25f44972955@mail.gmail.com> <3e8340490912291108t7e000e75p8264fa585f831464@mail.gmail.com> <20091229212722.GA20178@us.ibm.com> <17290.1262123182@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <17290.1262123182@localhost> User-Agent: Mutt/1.5.20 (2009-06-14) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1937 Lines: 39 Quoting Valdis.Kletnieks@vt.edu (Valdis.Kletnieks@vt.edu): > On Tue, 29 Dec 2009 15:27:22 CST, "Serge E. Hallyn" said: > > I think i disagree. A uid is just a uid (or should be). One day we may > > have a way for a factotum-style daemon to grant the ability to an unpriv > > task to setuid without CAP_SETUID. I think slingling uids and gids > > around that you already have access to should be fine. > > Yes, but not doing the clear and obvious simple thing now for a "one day > we may have" consideration seems a poor engineering tradeoff. > > Yes, slinging uids and gids around *would* be nice. But first we need a clear > plan for making /usr/bin/newgrp a shell builtin - once that happens, *then* > we can re-address this code. ;) Absolutely agreed with the principle, but conflicted on the application. I know earlier in the thread I said uid 0 even when unprivileged is actually privileged merely by owning most of the system files. But in fact I think it helps to think more clearly when we separately consider the cases of (a) changing uid, and (b) enhancing privilege. That's why I was recommending implementation through securebits - what we're basically saying is the task should never gain privilege. And effectively, since it won't have CAP_SETUID (unless it has and keeps it in pI) it wont' be able to change uids. But if we right off the bat confuse changing uids with gaining privilege, I'm afraid we might end up making some poor decisions. Still, I won't say no to a check to refuse dropping the ability to setuid to ensure that ruid=euid=suid and pP=pE=pI=empty. It may come back to bite us, but like I say I'm conflicted - willing to go either way. -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/