The question you originally posed was one of a "setuid" remove script.
In the current non-capability model, there is no protection against
'nobody' running it. None besides straigt forward file
permission/ownership -- as Astor points out.
> Considering users as:
>
> a. authorized to use the capability as desired
> b. limited by tools & not expected to find holes in the tools
> c. possibly serious crackers who are likely to look for holes
> User "nobody" is in group c, and should not be able to
> execute tools with such power.
> > If your claim is that when the cleanme.tool runs it will fail to
> > execute the unlink() operation on files it doesn't own, I hope I've
> > cleared that up.
>
> Just the opposite: the user must not have access to tools with
> that kind of power because the tools might be buggy.
The capability model has nothing to say about people's programming
(in)ability.
> I'm thinking of the shell removing files. The closest I can imagine
> is with redirection. Would that fail? Maybe it is good, but it
> doesn't seem very compatible.
I have absolutely no idea what you mean by this since I have already
explained how 'rm' can be safely implemented in this model.
Andrew
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu