Re: Bug in how capability inheritance is handled in "fs/exec.c", 2.3.99

From: David L. Parsley (parsley@roanoke.edu)
Date: Wed May 31 2000 - 10:40:59 EST


"Theodore Y. Ts'o" wrote:
> Casey Schaufler wrote:
> I concur*. It is unfortunate that the POSIX work died, and that
> another forum hasn't presented itself to replace it. If someone
> (NIST? SGI? Casey's Capability Clearance Center?) held a workshop
> would anyone show up? How about if I supplied the beer?
>
> Hi Casey,
>
> I'd be interested.

I'd be interested as well. It would probably be easiest for me if it
coincided with a show; maybe LinuxWorld in August?

> A lot of innocent bits have been deforested
> while trying work out the differences between what Linux is doing (which
> is basically following Draft 17), and what Trusted Irix is doing (which
> apparently is following Draft 16).
>
> On of the problems is that the draft doesn't state how the bits
> would typically get used. For example, what would the PIE permissions
> be on a typical system after login is run? What should the file capsets
> be on executables if certain privileges should be forced, or if certain
> privileges should be should allowed to be inherited?

I think we could improve the quality of discussion in several ways:
1) move it to the CAPS mailing list and off lkml to cut down on noise.
(if the old capabilities list is defunct, I could provide this)
2) adopt a standard notation for rules, cap sets, and examples of
application.
3) find some common scenarios for real systems to apply proposals to;
for each proposal we should work out compatibility behavior as well as
behavior in a system with caps in the filesystem and some
'capability-aware' binaries.
4) get some web space to put up documents for discussion, such as full
specifications for proposals and standard notation (I could provide
this)

> If we have such a meeting, I would propose the following two
> agenda items:
>
> * Should Linux continue to follow the specification found in Posix.1e
> Draft 17, the last version of the specification? Or should it
> use some other system, such as Draft 16, which apparently
> Trusted Irix is using?

Or another system altogether? Personally, and no intended offense to
SGI, I think we could do better than either. Since there's obviously
not a single clear-cut standard, and since Linux marketshare will
outstrip that of all other Posix/UNIX implementations, I think we're in
a position to implement what's best, if it's provably better than what
exists.

> Key questions to help us answer this question are:
>
> (1) What are the security properties of D16 vs. D17?

Or ANY given proposal. This is why we need to standardize our notation
and examples, so we're all on the same page and can objectively analyze
a proposal. I think one problem is that, right now, our e-mails are
long and hard to wade through.

> * What are the appropriate settings of PIE masks of executables
> and processes? This needs to be documented, with a rationale
> about why things are the way they are.

Definitely. We need to work through examples of operation on a
real-world system.

> Also, if people are interested in having on the east coast, I can
> probably arrange to host a meeting at a Boston area hotel. (Anything to
> get out of Yet Another Cross Country plane trip. :-)

With a few weeks notice, I could probably swing something like this.

regards,
        David

-- 
David L. Parsley
Network Administrator
Roanoke College

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Wed May 31 2000 - 21:00:27 EST