Re: caps in elf headers: use the sticky bit!

Pavel Machek (pavel@bug.ucw.cz)
Sun, 11 Apr 1999 12:10:54 +0200


Hi!

> Geez, instead of overloading the meaning of 'setuid 0', let's just
> use the sticky bit! I.e., sticky bit==cap flag:

People/old programs do not realize that sticky bit means elevated
privileges. Which is bad from backwards-compatibility point of
view. I.e. I go to my sysadmin and ask him to set sticky on one of my
executables. He'll do so.

> - To set the cap flag, a user (process) needs CAP_SETFCAP raised, and the
> kernel (besides the normal fs checks) validates the cap headers as well
> for legality. (this also applies to creating files with this flag raised;
> i.e., through a copy operation)

You do not want this kind of support in kernel. Believe me. Better use
setuid0 as marker (those are already immutable) and userspace suid
program which implements your CAP_SETFCAP.

Pavel

-- 
I'm really pavel@atrey.karlin.mff.cuni.cz. 	   Pavel
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/