Re: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited

From: Albert D. Cahalan (acahalan@cs.uml.edu)
Date: Fri Jun 16 2000 - 21:37:02 EST


Aaron Denney writes:

> Another mechanism for forcibly lowering capabilities would be
> nice and useful, and I agree that it would need to be stored
> outside the binary. I don't think the inode would be a good
> place though, as that is traditionally under the control of
> the owner (save atime), and this is not.
>
> Further, this is (should be) per-executor information.
> Surely you can imagine two people on the same system
> wanting to trust a given binary differing amounts?

Oh my, you had to bring up THAT problem...

For this, the in-memory solution is the only sane answer. The bits
get restricted to a VFS namespace, and you use a namespace-splitting
clone call to divide up the system by who trusts what.

That solution is really solid. Namespaces could form the VFS part
of a simple MAC system even. If there isn't any path to something,
then you just can't access it.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Fri Jun 23 2000 - 21:00:13 EST