Re: [PATCH] capabilities: Ambient capability set V1
From: Serge E. Hallyn
Date: Mon Feb 23 2015 - 11:46:29 EST
On Mon, Feb 23, 2015 at 10:44:32AM -0600, Christoph Lameter wrote:
> On Mon, 23 Feb 2015, Serge Hallyn wrote:
> > The core concern for amorgan is that an unprivileged user not be
> > able to cause a privileged program to run in a way that it fails to
> > drop privilege before running unprivileged-user-provided code.
> I do not see a problem with dropping privilege since the ambient set
> is supposed to be preserved across a drop of priviledge.
Because you're tricking the program into thinking it has dropped
the privilege, when in fact it has not.
> > Since your desire is precisely for a mode where dropping privilege
> > works as usual, but exec then re-gains some or all of that privilege,
> I would say that the ambient set stays active even if the setuid binary
> drops to regular perms.
> > we need to either agree on a way to enter that mode that ordinary
> > use caes can't be tricked into using, or find a way for legacy
> > users to be tpiped off as to what's going on (without having to be
> > re-written)
> Well if the ambient set is completely separate then the existing
> semantics are preserved while the ambient set stays active as intended.
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/