Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)

[Serge E. Hallyn]

Quoting Michael Stone (michael@xxxxxxxxxx):
> Tetsuo Handa wrote:
> 
> >Michael Stone wrote:
> >>Examples of software that I want to be able to gain privileges normally include:
> >>
> >>   rainbow, which requires privilege in order to add new accounts to the system
> >>   and in order to call setuid() but which does not require networking
> >>   privileges.
> >
> >If the system is not using local files (i.e. /etc/passwd and /etc/shadow),
> >the process who wants to add new accounts to the system might need network
> >access (e.g. to LDAP server), doesn't it?
> 
> General purpose account manipulation tools might need network access but
> rainbow handles all its account manipulations via state stored in
> /var/spool/rainbow/2. This state is made available to the rest of the system
> via libnss_rainbow.
> 
> Michael

Michael, I'm sorry, I should go back and search the thread for the
answer, but don't have time right now - do you really need
disablenetwork to be available to unprivileged users?  Or is it ok
to require CAP_SETPCAP (same thing required for dropping privs from
bounding set)?  Surely rainbow could be started either with that
capability, or even from a smaller, easier-to-audit wrapper that
has the capability, calls disablenetwork, then launches rainbow?

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/