>> In a full implementation this is done in conjunction with the process
>> privilege sets, and the file privilege sets (which are the forced and
>> allowed sets).
>>
>> This is how it works. A privileged process has priv a, b, and c in its
>> effective set, inheritable and permitted sets. It execs another program
>> that has none in its allowed set and none in its forced set (on the file).
>> since the new processes effective, permitted and inheritable sets are
>> determined by the intersection of the inheritable of the parent, and the
>> allowed of the child (which is none) and the child process gets no
effective,
>> permitted, or allowed privileges.
>>
>
>.. and this is how it works in Linux too. The "reduce" capabilities
>stuff refers to the ability to reduce the allowed, forced and
>effective sets of the executables. A suid program is considered to
>have a full allowed, forced and effective set. Then the cap-stuff can
>reduce those sets before the normal capability rules are applied.
>
The main difference here is that suid bit isn't key in any way to privileges
in other trusted operating systems. The forced and allowed sets on the
file itself are. All the suid bit does on other trusted OSes is
cause the program to get run as (possibly) another uid. No privileges
are implied by suid bit (or uid O) on these systems. Here if you can
manage to remove the ELF headers some way, your security model falls
apart.
>astor
>
>--
> Alexander Kjeldaas, Fast Search & Transfer, Trondheim, Norway
>
>
-- John Wojtowicz, Secure Systems Engr. ph: (703) 318-7134 Trusted Computer Solutions, Inc. fax: (703) 318-5041 13873 Park Center Rd. Suite 225 email: jwojtowicz@tcs-sec.com Herndon, VA 20171 http://www.tcs-sec.com/
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/