Re: caps in elf headers: use the sticky bit!

Albert D. Cahalan (acahalan@cs.uml.edu)
Sat, 17 Apr 1999 20:15:22 -0400 (EDT)


Theodore Y. Ts'o writes:
>> From: Pavel Machek <pavel@bug.ucw.cz>

>> It is not a showstopper. Your capabilities do NOT prevent you from
>> trojan horses. If you run program with uid=0, it does not need any
>> special privileges to screw you up. [Hint: who is owner of /etc/passwd?]
>
> Then don't run programs setuid root! This is why using setuid root as
> the method for marking that a file has capabilities is a complete
> non-starter, as we have discussed before.

Clearly you have missed a large chunk of the discussion.

The file gets marked setuid-root, but only runs setuid-root as an option.
The setuid-root setting is only required to indicate trust.

magic kernel effect
----- ------ --------------------------
ELF old setuid-root
ELF new as specified in the header
FLE old will not run
FLE new as specified in the header

If there is a real need to let enhanced executables run without privileges
on an obsolete kernel, there might be an ext2 flag solution for local files.
One could also _optionally_ trust the sticky bit on a read-only NFS mount.

Please read http://www.cs.uml.edu/~acahalan/linux/cap.txt if you haven't
already. I'd like to have some comments on the proposal.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/