> > i think you are overlooking the fact that the kernel only evaluates this
> > 'extra info' if the given binary is a setuid root binary. Which means it's
> > contents are absolutely trusted.
>
> You are overlooking the fact that in a posix.6 capabilities
> environment, there _is_ no trusted root user, and no single superuser
> privilege. The entire point of the capability mask is to eliminate
> that.
the RL point of the capability mask is not to remove root, the point is to
reduce risks of compromising security, given a constant number of
programmer-created errors in security-relevant code ...
yes, the almighty root 'suser()' call is gone, but theres no much point in
removing the root _account_, except in some very paranoid setups. Someone
still has to fix up stuff when a system gets broken ...
the point is not to remove the administrator (kinda silly, isnt it, except
maybe in the military, yes they kinda love solving problems by talking
them away), the point is to reduce/divide the power of those zillion
system-critical daemons and setuid-root binaries that rarely need that
much power.
[and, if you want, you can remove root too in the Posix way, just forbid
setting any inode mode to setuid-root in sys_chmod() except when CAP_SUID
is raised.]
-- mingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu