Re: [RFC] Making capabilites useful with legacy apps

From: Pavel Machek (pavel@suse.cz)
Date: Mon May 13 2002 - 07:55:21 EST

Hi!

> In attempt to make capabilites more useful before the filesytem support
> arrives, I would like to "wrap" non-capabilities aware apps.
>
> For example:
>
> # capwrap --user nobody --grp nobody --cap CAP_NET_BIND_SERVICE nc -l -p 80

That looks pretty nice...

> This wrapper[1] (that would increase security) won't work with the current
> kernel though, because at step 6, all capabilities are cleared.

This should be fixed, then.
                                                                        Pavel
PS: you could ptrace attach yourself, fork and exec on root, and then force
newly exec-ed app to give up id... But that's ugly and complicated hack. 

-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Tue May 14 2002 - 12:00:21 EST