>On Mon, Jul 20, 1998 at 11:19:26AM -0400, Zachary Amsden wrote:
>
>> Here is a patch to support uid/gid/fsuid/fsgid passing over unix
>> domain sockets. I think this is a better solution than a
>> set_hid_call because it is easily extensible to capabilities. This
>> patch is not 100% finished, but uid/gid passing does work.
>>
>
>Cool! I like this! :-)
>
>Just two comments which are really based on the same problem:
>
>- Being able to pass to the _effective_ set of the receiving process
>makes it possible to pass on a non-mutable capability since you are
>not allowed to move a capability from the effective set to the
>permitted set. This can be useful in certain situations.
Isn't it possible that the kernel, user libs or programs assume that the effective set is always a subset of the permitted set, and that some hidden security precaution in one of them (or in the POSIX def) would prevent this sort of feature? Nevertheless, I think it would be useful.
>- Should you be able to pass on uid/gid without having any sort of
>extra privileges?
No, that sounds risky to me.
--snip--
>So, to be on the safe side, we could have a CAP_MUTABLE which
>indicates that the uid/gid/fsuid/fsgid and capabilities of the process
>are mutable - i.e. the process is allowed to give them away. It is
>coarse-grained, but probably better than nothing. When this patch is
>integrated in the kernel, I really see no reason to keep CAP_SETPCAP
>at all, so the number of capabilities wouldn't change.
That would get rid of a number of holes, i.e. priviledged procs forgetting to drop privs before spawning subtasks, etc, and is probably a good idea.
One other advantage to doing this over a socket as opposed to a set_his_uid call is that we don't need to worry about races with dying customers and a pid grabber process.
Zachary Amsden
amsden@andrew.cmu.edu
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html