Pavel Machek <pavel@suse.cz> said:
> In-Reply-To: <200002192338.e1JNcw216382@sleipnir.valparaiso.cl>; from vonbrand@
> ***sleipnir.valparaiso.cl on Sat, Feb 19, 2000 at 08:38:58PM -0300
> > > If you want to elevate some priviledges, make it setuid 0 (that will
> > > give it all capabilities) and you can now copy forced into
> > > allowed. You are done. You have nice compatibility (ls) for free, and
> > > you have 32 more bits for your use!
> > Who says running as UID == 0 gives you all capabilities? Why have a
> Backwards compatibility.
Doesn't cut it: It is _exactly_ what capabilities are designed to avoid.
You can get (some) backwards compatibility by setting capabilities
adequately.
> > distinguished root user at all? OTOH, it does make sense to have a program
> > that can modify files belonging to DNS, and which is allowed to bind to a
> > low port, but nothing else. The UID/GID (and ACL) stuff and capabilities
> > are complementary.
> I said that different uid is where this gets ugly ;-). Take a look at
> elfcap.
Unless you cleanly separate UID/GID from capabilities, and place that under
the direct control of the kernel (i.e., into the filesystem) all you get is
an ugly hybrid with old and new problems.
> (Program that can modify files for DNS and which is allowed to bind
> low port is doable with elfcap, but not with this proposal, because
> there are no additional bits to store "new uid" as I do in elfcap.
Why can't it be done in this proposal? Binding to a low port is a
capability (or should be made one, as it is one of the special powers root
enjoys right now).
-- Horst von Brand vonbrand@sleipnir.valparaiso.cl Casilla 9G, Viņa del Mar, Chile +56 32 672616- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Feb 23 2000 - 21:00:26 EST