Re: Capabilities done right [diff against 2.3.1]

Pavel Machek (pavel@atrey.karlin.mff.cuni.cz)
Mon, 17 May 1999 11:21:25 +0200


Hi!

> > Only other executables are a.out (nobody uses them these days) and
> > scripts. But take a look: we do not honour setuid bit on scripts,
> > anyway!
>
> I know. But that's not a feature - it's a misfeature forced upon us by the
> fact that "sh" was never very good at understanding security issues.
>
> Let's not use a misfeature as an argument against doing things
> right.

Is that missfeature of sh? I thought that it was race between sh being
loaded and potential change of file. Malicious user could delete suid
program and replace it with his own code with other name -- that is
not easily worked around. So capabilities support will have to go into
sperl, anyway.

Anyway, suid is currently not honoured by scripts. It will take
_years_ before we'll get all tools like tar, cp, nfs, etc. work right
with capbilities-in-namespace. By putting capabilities in name space
you have to teach admins about new dangers: there are priviledged
executables which have raised priviledges. These are all changes that
are probably good thing - in distant future. But I think that we want
something before that distant feature - and for common case (elf
executables) solution is not that hard.

It may show that elf capabilities will be nice even when we have
filesystem support: they have nice property of being able to travel
across other unixes unharmed.

Did I convince you now?

Pavel

-- 
The best software in life is free (not shareware)!		Pavel
GCM d? s-: !g p?:+ au- a--@ w+ v- C++@ UL+++ L++ N++ E++ W--- M- Y- R+

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/