This has been mentioned before and it's trivial to implement. However,
I don't think it's needed, at least not for the reason you mention.
The situation you mention is already handled by capabilities.
The names of the different capabilities assigned to a file is somewhat
misleading in the linux-privs patch. A process has the
inherited/permitted/effective capabilities. For a file, the
'inherited' should be renamed to the 'allowed' set, the permitted the
'forced' set and the effective is a single bit saying whether the
executable should start with capabilities raised or lowered
(capability 'smart'/'dumb'). The POSIX draft doesn't talk about an
'inherited' or 'permitted' set for files.
The following equations are used:
pI' = pI
pP' = fP | (fI & pI)
pE' = pP' & fE [NB. fE is 0 or ~0]
Now, if we rename as I said, the equations make sense.
Now, a user on the system has a set of "inherited" capabilities which
indicates the *maximum* privileges he is allowed to obtain. This is
*exluding* the rare cases where you force a program (it's "suid"). The
point being that you don't *use* suid programs/the "permitted" set on
the filesystem on a privs system. You use the *allowed* set on each
executable and it is filtered by the inherited set.
This means that an "allowed" bitmap you mention would only restrict
the ability to set programs "suid" which is an exception in the first
place.
astor
-- Alexander Kjeldaas, Guardian Networks AS, Trondheim, Norway http://www.guardian.no/- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu