> Horst von Brand writes:
> > Richard Gooch <rgooch@atnf.csiro.au> said:
> >
> > The whole idea of capabilities is to get rid of all-powerful users, to
> > split the root powers among several people where _nobody_ has all
> > powers. Any scheme that keeps a root of some sort is broken.
>
> Whoever can grant caps is in effect all-powerful.
Sure, but this need not be tied to a given uid; heck, in a proper
capabilities-based system, this can _only_ be done, say, by logging in at
the console and supplying two or three passwords.
> > > Capabilities are a good thing, as they give more flexibility. But
> > > there simply is no need to cripple root.
> >
> > Then give root all capabilities. "To cripple root", as you call it, is not
> > _needed_, but it is essential to be _able to do it_, else you can get just
> > a fraction of the security benefits out of this scheme.
>
> What exactly do you see as the benefits of a crippled root? Compare
> that with a system where there is no root account, but euid=0 means
> all caps to the kernel. What are the real benefits?
You don't want the kernel to interpret _any_ uid as all-powerful. Rather,
CAP_SETFCAP is the all-powerful capability, which may be two separate
uid's can obtain after a complex authentication scheme.
>
> Regards,
>
> Richard....
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.rutgers.edu
> Please read the FAQ at http://www.tux.org/lkml/
>
- --
David L. Parsley
Network Specialist
City of Salem Schools
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/