Re: LSM conversion to static interface
From: Jan Engelhardt
Date: Tue Oct 23 2007 - 11:28:39 EST
On Oct 23 2007 10:20, Serge E. Hallyn wrote:
>
>Once the per-process capability bounding set is accepted
>(http://lkml.org/lkml/2007/10/3/315) you will be able to do something
>like:
>
> 1. Create user 'jdoe' with uid 0
UID 0 is _not_ acceptable for me.
> 2. write a pam module which, when jdoe logs in, takes
> CAP_NET_ADMIN out of his capability bounding set
> 3. Now jdoe can log in with the kind of capabilities subset
> you describe.
It is not that easy.
CAP_DAC_OVERRIDE is given to the subadmin to bypass the pre-security
checks in kernel code, and then the detailed implementation of
limitation is done inside multiadm.
This is not just raising or lowering capabilities.
>It's not a perfect solution, since it doesn't allow jdoe any way at all
>to directly execute a file with more caps (setuid and file capabilities
>are subject to the capbound). So there is certainly still a place for
>multiadm.
A normal user can execute suid binaries today, and so can s/he with mtadm.
I do not see where that will change - it does not need any caps atm.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/