Re: [PATCH] capabilities: Ambient capability set V1
From: Christoph Lameter
Date: Mon Feb 23 2015 - 11:44:40 EST
On Mon, 23 Feb 2015, Serge Hallyn wrote:
> The core concern for amorgan is that an unprivileged user not be
> able to cause a privileged program to run in a way that it fails to
> drop privilege before running unprivileged-user-provided code.
I do not see a problem with dropping privilege since the ambient set
is supposed to be preserved across a drop of priviledge.
> Since your desire is precisely for a mode where dropping privilege
> works as usual, but exec then re-gains some or all of that privilege,
I would say that the ambient set stays active even if the setuid binary
drops to regular perms.
> we need to either agree on a way to enter that mode that ordinary
> use caes can't be tricked into using, or find a way for legacy
> users to be tpiped off as to what's going on (without having to be
Well if the ambient set is completely separate then the existing
semantics are preserved while the ambient set stays active as intended.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/