> > That is a kludge, and it won't work at all when capabilities are done right
> > in the filesystem.
> I don't see why Perl's mechanism for SUID scripts used on Linux couldn't
> be expanded to cover capabilites as well. Except that that would make
> as small part of Perl the single point of failure in the security system.
I don't want to trust an all-capable Perl interpreter. Not on a system that
is important/critical enough to be secured by capabilitites. A clean
solution is given if the script carries capabilities, the kernel notes this
and invokes the interpreter with the capabilities the filesystem grants. In
this case it is useless to trick the interpreter.
-- Horst von Brand vonbrand@sleipnir.valparaiso.cl Casilla 9G, Viņa del Mar, Chile +56 32 672616
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/