Re: understanding Linux capabilities brokenness
From: Jan Engelhardt
Date: Tue Aug 09 2005 - 03:10:05 EST
Hello,
Ts'o wrote:
>since _obviously_ when root calls setuid(), it never fails, right?
Well this really depends on how privileged a certain root user (think of
SELinux and others) is.
>(2) There was some debate about whether or not this method was the
course of wisdom,
James Morris wrote:
>Should we be thinking about deprecating and removing capabilities from
>Linux?
My one half says no. But it needs reworking. Just look what I had to do
with the linux source code in order to get this
< ftp://ftp.gwdg.de/linux/misc/suser-jengelh/multiadm-1.0.tbz2 > to work as
intended - I had to poke really hard on caps stuff to get this module done.
And my other half says yes, because it's ironically to give a user all caps
and then limit a certain user's permissions using LSM hook functions. So in
effect, if you wanted root accounts of varying powers, all of them would need
some - or even all - caps so that the code flow can reach the security_*()
functions at all, because capable() is done before security_*(). So to get to
security_*(), caps must be enabled, which turns a
if(!capable(CAP_DAC_OVERRIDE)) return;
into, effectively,
if(0) return;
With regard to _this_, I think it would be best to kill the cap checks, and
let a security_* function handle it, in the style of "security/traditional.c".
Jan Engelhardt
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/