Re: Status of capabilities?

From: Dax Kelson (dax@gurulabs.com)
Date: Thu Jun 27 2002 - 17:52:33 EST


On Thu, 2002-06-27 at 14:54, Chris Wright wrote:
> * Jesse Pollard (pollard@tomcat.admin.navo.hpc.mil) wrote:
> >
> > Actually, I think most of that work has already been done by the Linux
> > Security Module project (well, except #7).
>
> The LSM project supports capabilities exactly as it appears in the
> kernel right now. The EA linkage is still missing. Of course, we are
> accepting patches ;-)

Has either lscap or chcap been written? I suppose not as that would
require a consensus on how capabilities would be stored as a EA.

That EA would need to be "special" and only be changeable by uid 0 (or
CAP_CHFSCAP).

So, has any of the below changed now that LSM has entered the picture?

1. Define how capabilities will be stored as a EA
2. Teach fs/exec.c to use the capabilities stored with the file
3. Write lscap(1)
4. Write chcap(1)
5. Audit/fix all SUID root binaries to be capabilities aware
6. Set appropriate capabilities with for each with chcap(1) and then:
   # find / -type f -perm -4000 -user root -exec chmod u-s {} \;
7. Party and snicker in the general direction of that OS with the slogan
"One remote hole in the default install, in nearly 6 years!"

Dax Kelson

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Jun 30 2002 - 22:00:12 EST