Re: understanding Linux capabilities brokenness

[Jan Engelhardt]

Hello,


Ts'o wrote:
>since _obviously_ when root calls setuid(), it never fails, right?

Well this really depends on how privileged a certain root user (think of 
SELinux and others) is.

>(2) There was some debate about whether or not this method was the              
course of wisdom,

James Morris wrote:
>Should we be thinking about deprecating and removing capabilities from 
>Linux?

My one half says no. But it needs reworking. Just look what I had to do 
with the linux source code in order to get this
< ftp://ftp.gwdg.de/linux/misc/suser-jengelh/multiadm-1.0.tbz2 > to work as 
intended - I had to poke really hard on caps stuff to get this module done.

And my other half says yes, because it's ironically to give a user all caps 
and then limit a certain user's permissions using LSM hook functions. So in 
effect, if you wanted root accounts of varying powers, all of them would need 
some - or even all - caps so that the code flow can reach the security_*() 
functions at all, because capable() is done before security_*(). So to get to 
security_*(), caps must be enabled, which turns a

	if(!capable(CAP_DAC_OVERRIDE)) return;

into, effectively,

	if(0) return;

With regard to _this_, I think it would be best to kill the cap checks, and 
let a security_* function handle it, in the style of "security/traditional.c".


Jan Engelhardt
-- 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/