Re: [PATCH] capabilities not inherited
From: Chris Wright
Date: Wed Jun 08 2005 - 16:57:01 EST
* Manfred Georg (mgeorg@xxxxxxxxxxxxx) wrote:
>
> On Wed, 8 Jun 2005, Alexander Nyberg wrote:
> >btw since the last discussion was about not changing the existing
> >interface and thus exposing security flaws, what about introducing
> >another prctrl that says maybe PRCTRL_ACROSS_EXECVE?
>
> Wasn't the original inherited set supposed take care of that?
The filesystem part was quite integral to the original intent.
> >Any new user-space applications must understand the implications of
> >using it so it's safe in that aspect. Yes?
>
> As far as I can tell, applying the patch from the earlier discussion
> and setting the inherited set has the same, "I really meant to do this"
> effect as what you propose.
>
> >(yeah it's rather silly since there already is an unused
> >keep_capabilities flag but that would change old interfaces so ok)
>
> Isn't the keep_capabilities flag related to setuid() ? or did I miss
> something.
Yes, it is, but it's tempting to reuse to really keep them. I think
that's the point.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/