To: linux-kernel@vger.kernel.org
Path: not-for-mail
From: daw@mozart.cs.berkeley.edu (David Wagner)
Newsgroups: isaac.lists.linux-kernel
Subject: Re: [PATCH] + story;) on POSIX capabilities and SUID bit
Date: 16 Apr 2002 02:15:07 GMT
Organization: University of California, Berkeley
Lines: 23
Distribution: isaac
Message-ID: <a9g1fb$onq$1@abraham.cs.berkeley.edu>
In-Reply-To: <Pine.LNX.4.33.0204122026170.903-100000@seldon.terminus.sk>
NNTP-Posting-Host: mozart.cs.berkeley.edu
NNTP-Posting-Date: 16 Apr 2002 02:15:07 GMT
Originator: daw@mozart.cs.berkeley.edu (David Wagner)
Sender: linux-kernel-owner@vger.kernel.org

Marek Zelem  wrote:
>Our new formula:
>  * (***) pP' = (fP & X) | (fI & pI)
>  *       pI' = pP'
>  *       pE' = ((pP' & pE) | fP) & X & fE

Can you say anything about why this is safe and doesn't introduce
vulnerabilities?  (The capabilities misfeature that caused sendmail
8.10.1 to leak root privilege really drove home for me the subtlety of
this stuff.)

Also, the meaning of fE and fP seem backwards from what I would have
expected.  Maybe this reflects a lack in my understanding in capabilities,
but I thought 'effective' refers to capabilities you're allowed to invoke
at the moment, whereas 'permitted' refers to an upper bound on what
capabilities you're allowed enable in 'effective', consequently I would
have swapped the treatment of fE and fP.  Can you clear up my confusion?

Finally, what's the story behind the changes to CAP_INIT_EFF_SET and
CAP_INIT_INH_SET, and the business with CAP_SETPCAP?  If I understand
correctly, one side-effect of this change is that you've changed cap_bset
(X, the global bound on capabilities above) to add CAP_SETPCAP to it.
Is this safe?  What motivated this change?  Did I understand correctly?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/