I guess I misunderstand the concept here. I thought that capabilities were
a mechanism to allow one to be more selective in allowing root permissions
to non-root userids (so that you don't have to give out "root" userids).
> [pjoot@openfire cap]$ touch /blah
I shouldn't be able to do this (and can't) because my userid doesn't have
permission to create files under / -- what did you mean here?
> [pjoot@openfire cap]$ ls -l /blah
> -rw-r--r-- 1 pjoot build 0 Apr 17 13:24 /blah
> [pjoot@openfire cap]$ ./debugwrap rm /blah
>
> Unless root happens to own the cap directory, I believe you'll have some
> trouble deleting the file.
presuming the file is there, there is no problem deleting it:
[pjoot@openfire cap]$ ./debugwrap touch /blah
[pjoot@openfire cap]$ ls -l /blah
-rw-r--r-- 1 root build 0 Apr 17 15:04 /blah
[pjoot@openfire cap]$ ./debugwrap rm /blah
[pjoot@openfire cap]$ ./debugwrap ls /blah
ls: /blah: No such file or directory
It seems to me that when we have removed all root capabilities except
ptrace this shouldn't be allowed.
This seems to be a particularity to create files as root. ./debugwrap
doesn't allow me to mount filesystems (CAP_SYS_PACCT), as I would expect
since we have removed this capability.
Peeter
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/