Re: [PATCH 0/2] capabilities

From: Paul Jakma
Date: Fri May 14 2004 - 19:07:51 EST

On Wed, 12 May 2004, Andy Lutomirski wrote:

> Like something that turns KEEPCAPS on then setuid()s then executes
> an untrusted program? It's obviously wrong, but it's secure
> currently since the exec wipes capabilities. And no one would
> notice. Ugh!

Definitely wrong.

> The prctl would defeat the purpose (imagine if bash forgot the
> prctl -- then the whole thing is pointless).

Capabilities aware programmes are most likely already setting
PR_SET_KEEPCAPS anyway if they're doing anything half-fancy. Another
prctl() wont hurt too much if it is the only way to guarantee
backward compatible security (?).

Paul Jakma paul@xxxxxxxx paul@xxxxxxxxx Key ID: 64A2FF6A
warning: do not ever send email to spam@xxxxxxxxxx
"I go on working for the same reason a hen goes on laying eggs."
- H. L. Mencken
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at