Re: Possible problem in linux file posix capabilities

[Serge E. Hallyn]

Quoting Andrew G. Morgan (morgan@xxxxxxxxxx):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Serge E. Hallyn wrote:
> | Andrew, this pretty much was bound to happen...  we need to figure out
> | what our approach here should be.  My preference is still to allow
> | signals when p->uid==current->uid so long as !SECURE_NOROOT.  Then as
> | people start using secure_noroot process trees they at least must know
> | what they're asking for.
>
> I don't think there is anything special about root.
>
> I've been trying to advocate that we remove the *uid == 0 part of this
> check since we discussed it in November:
>
> As I said 11/29/07 [Re: [patch 31/55] file capabilities: don't prevent
> signaling	setuid root programs]:
> | I actually said (11/26/07):
> |> >> Serge,
> |> >>
> |> >> I still feel a bit uneasy about this. Looking ahead, with filesystem
> |> >> capabilities, one can simulate this same situation with a setuid
> |> >> 'non-root' program as follows:
> |> >>
> |> >> [... example of simulating the same situation with setuid-non-root
> ...]
> |> >>
> |> >> Is there a compelling reason to include the euid==0 check?
>
> So, independent of whether SECURE_NOROOT is in effect or not, I think
> this particular line should simply read:
>
> ~        if (p->uid == current->uid)
> ~                 return 0;

Hmm, well unless I misunderstand I think I'm fine with that.  And I must
have completely misunderstood you in November or my memory is just
playing tricks.

So the following patch against current -git is ok with you?

thanks,
-serge