Re: LSM conversion to static interface

From: Valdis . Kletnieks
Date: Thu Oct 25 2007 - 06:23:35 EST

Next message: Amit Walambe: "Re: x86 compile failure on 2.6.24-rc1"
Previous message: Ingo Molnar: "Re: x86 compile failure on 2.6.24-rc1"
Next in thread: Jan Engelhardt: "Re: LSM conversion to static interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 23 Oct 2007 10:34:09 CDT, "Serge E. Hallyn" said:

> And he will still be able to *run* the suid binary, but if cap_bound is
> reduced he won't be able to use capabilities taken out of the bounding
> set, multiadm loaded or not.

I am willing to bet that there's still a *lot* of unaudited set[ug]id code
out there that's vulnerable to the same sorts of attacks as the one that
hit Sendmail a few back. As such, I have to agree with your original
post of the patch that CAP_SYS_ADMIN should be required to lower the set,
as there's just too much danger of an exploit if users can create their
own reduced-set processes.

I'm debating whether we should have a printk if we detect that a removed
capability caused an -EPERM. Yes, it can be used to spam the logs. On the
other hand, I as the sysadmin would like to know if it's happening. Looks like
time for a sysctl or something....

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Amit Walambe: "Re: x86 compile failure on 2.6.24-rc1"
Previous message: Ingo Molnar: "Re: x86 compile failure on 2.6.24-rc1"
Next in thread: Jan Engelhardt: "Re: LSM conversion to static interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]