Re: capabilities in elf headers, (my) final (and shortest) iteration

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Uwe Bonnes: "Re: 2.2.6, sg.c, scsi_logging_level and a versioned kernel"
• Previous message: Riley Williams: "Re: capabilities in elf headers, (my) final (and shortest) iteration"

>>> ...and works only for some types of files (how about a webserver
>>> written in Perl?).

>> That's up to the PERL interpreter to handle, not the kernel. After
>> all, the kernel ignores s[gu]id on scripts already, and the only
>> reason s[gu]id works on PERL scripts is because the PERL
>> interpreter handles the relevant capabilities if it sees the
>> s[gu]id flag set on the script it's running.

> Just where do you think the perl interpreter is going to look to
> decide what capabilities to enable? suidperl just stats the
> script and looks at the setuid bits to decide what to do. If the
> capability bits are not in the fs, where will suidcapperl find
> them? There ain't no ELF header in a script.

> Not that I really care one way or the other about capabilities,
> just wondering if anyone has really thought this through before
> posting "it's up to the interpreter"

{Shrug} Perhaps somebody can suggest some way that capabilities can
have meaning for a script, any script if it comes to that?

The best I've seen so far is for any script to require the
capabilities of whichever interpreter it uses, in which case a capable
script would use a different version of the interpreter that included
the capabilities the script needed, and to my way of thinking, such a
scheme is open to abuse...

Personally, I can see NO sensible meaning for attaching capabilities
to a script, at least not from an implementation viewpoint, and until
somebody comes up with a sensible meaning for doing so, I see no point
in even allowing scripts to be given capabilities separate from the
interpreter they use...

Best wishes from Riley.

+----------------------------------------------------------------------+
| There is something frustrating about the quality and speed of Linux |
| development, ie., the quality is too high and the speed is too high, |
| in other words, I can implement this XXXX feature, but I bet someone |
| else has already done so and is just about to release their patch. |
+----------------------------------------------------------------------+
* ftp://ftp.MemAlpha.cx/pub/rhw/Linux
* http://www.MemAlpha.cx/kernel.versions.html

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Uwe Bonnes: "Re: 2.2.6, sg.c, scsi_logging_level and a versioned kernel"
• Previous message: Riley Williams: "Re: capabilities in elf headers, (my) final (and shortest) iteration"