Re: Securelevel bitmap patch

Linus Torvalds (torvalds@transmeta.com)
Mon, 30 Mar 1998 09:48:07 -0800 (PST)

On Mon, 30 Mar 1998, Alan Cox wrote:
>
> > Linus: "securelevel" as is, is completely useless. If you deem that we're
> > never going to have a BSD-like securelevel, please remove it immediately.
> > It is a shame that the securelevel patch you received would have secured
> > up 2.2 nicely, but this "linux-privs" project stuff is probably too big a
> > change for you to consider for 2.2.
>
> Some Linus feedback would be useful. If we aren't going to get either I'll
> merge securelevel into my 2.1.x 'neat things that Linus doesn't approve of'
> set that I hope will become something like the 'Enhanced Linux Patch' for 2.2

I can easily integrate a _framework_ for capabilities: at this point I
definitely don't want the fancy stuff (ie I don't want patches to ext2fs
that extend the meaning of "suid" etc). Those kinds of patches should be
very small - and more importantly they should also be trivial to check for
correctness by just eyeballing them.

So that framework would really only be splitting up the "suid()" and
"fsuid()" stuff into many more bits, and when a setuid happens all the
bits get set. Together with maybe the most obvious and trivial system
calls, something like

remove_capability(int pid, unsigned long mask)

where

pid = 0 - myself (everybody can revoce privileges from themselves)
pid = -1 - everybody (only somebody with priv-privs can do this)
pid = pid - only somebody with priv-privs
pid = -pid - that session or whatever

In short, I'd happily add one system call, but that would be the only
thing for now (let's do the rest lazily when it becomes obvious).

Linus

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu