file effective and process inheritable mask

David L. Parsley (kparse@salem.k12.va.us)
Thu, 22 Apr 1999 14:52:08 -0400 (EDT)


Hi Casey,
I'm directing this at you because you obviously have real
experience working with capabilities. (but I'm certainly interested in
the opinion of others, as well)

In thinking about implementing a system based on capabilities, two
things have struck me, and I'd be interested in your opinions based on
real-world use. One is that the file effective set seems superflous;
i.e., if the program is _not_ capability aware, the effective set for the
new process should just be equal to the permitted set, otherwise the
program won't be able to accomplish it's job; if it _is_ capability aware,
then it should manipulate it's own effective set. So really, I still
don't see why we need fE (file effective).

Two, (and I'm thinking mostly here about non-cap-aware binaries),
it seems like it would be nice to be able to constrain the passage of the
inheritable set using our cap-elf model. I'm referring to an fM, where it
masks off bits in the inheritable by the formula pI' = pI && fM. This
occurs to me after thinking about an admin account starting a program by
hand, where the shell might have a mostly full inheritable set. This
seems like a bad security issue, since that program can exec() another
program with a more potent inheritable set.
I've read that the idea is for privs to be able to pass though a
chain of programs which themselves may have little or no pP, which is
fine, but IMHO it would be nice to stop this effect for many binaries.
(still thinking of named, telnetd, ... system services)

comments?

anyone else?

cheers,
David

- --
David L. Parsley
Network Specialist
City of Salem Schools

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/