Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753288Ab1CIViU (ORCPT ); Wed, 9 Mar 2011 16:38:20 -0500 Received: from kroah.org ([198.145.64.141]:43638 "EHLO coco.kroah.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751853Ab1CIViT (ORCPT ); Wed, 9 Mar 2011 16:38:19 -0500 Date: Wed, 9 Mar 2011 13:38:13 -0800 From: Greg KH To: Eric Paris Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, dhowells@redhat.com, jmorris@namei.org, serge.hallyn@canonical.com, morgan@kernel.org Subject: Re: [PATCH -v2] capabilites: allow the application of capability limits to usermode helpers Message-ID: <20110309213813.GA28009@kroah.com> References: <20110309193330.12181.92080.stgit@paris.rdu.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110309193330.12181.92080.stgit@paris.rdu.redhat.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1305 Lines: 32 On Wed, Mar 09, 2011 at 02:33:31PM -0500, Eric Paris wrote: > There is no way to limit the capabilities of usermodehelpers. This problem > reared its head recently when someone complained that any user with > cap_net_admin was able to load arbitrary kernel modules, even though the user > didn't have cap_sys_module. The reason is because the actual load is done by > a usermode helper and those always have the full cap set. This patch addes new > sysctls which allow us to bound the permissions of usermode helpers. > > /proc/sys/kernel/usermodehelper/bset > /proc/sys/kernel/usermodehelper/inheritable Shouldn't these be documented somewhere? Documentation/ABI? > You must have CAP_SYS_MODULE to change these (changes are &= ONLY). Why that permission? Just because 'modprobe' is usually run from this callback? Or some other reason? > When the kernel launches a usermodehelper it will do so with these as > the bset and pI. Shouldn't the caller of these functions be the ones dictating the capabilities it should be run with? thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/