Re: [2.6 patch] remove securebits

From: Serge E. Hallyn
Date: Mon Aug 27 2007 - 11:28:29 EST


Quoting Adrian Bunk (bunk@xxxxxxxxxx):
> On Mon, Aug 27, 2007 at 10:09:42AM -0500, Serge E. Hallyn wrote:
> > Quoting Adrian Bunk (bunk@xxxxxxxxxx):
> > > On Fri, Aug 24, 2007 at 08:50:10PM -0700, Andrew Morgan wrote:
> > > >
> > > > FWIW, in the mm kernel, I've actually already removed them when one
> > > > configures without capabilities.
> > > >
> > > > http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.23-rc3/2.6.23-rc3-mm1/broken-out/v3-file-capabilities-alter-behavior-of-cap_setpcap.patch
> > > >
> > > > Other than writing a custom module, so far as I can tell, there is/was
> > > > no way to set them anyway.
> > > >
> > > > I'd obviously prefer to wait for the mm-merge process to complete and
> > > > minimize the churn in this area, but I basically agree that the bits as
> > > > implemented are pretty useless in their current form. In a per-process
> > > > mode (with filesystem capability support) they are much more useful...
> > >
> > > It was in the tree for nine years (sic) without a single user...
> >
> > That's because without file capabilities there was no way for a process
> > to retain capabilities across exec, so not having a privileged root user
> > was simply not workable.
> >
> > > Are you only improving a dead horse, or do you also have a rider for the
> > > improved dead horse?
> >
> > It will allow process trees to run with strict capabilities, without a
> > root user which automatically gains full capabilities. That wasn't
> > possible without file capabilities, since there was no way for processes
> > to retain capabilities across exec. Now that we have file capabilities,
> > it is feasible, and it certainly is useful.
>
> I didn't question that the dead horse gets improved, but where's the
> rider?
>
> A user of the improved securebits has to be submitted for inclusion in
> the kernel.

The user would be userspace...

Unless by 'the user' you actually mean the patch itself which will allow
the setting of secure_noroot per-process. I don't know for sure, but
suspect Andrew might like to wait until file capabilities make it into
and stabilize in Linus' tree before going on with that.

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/