Re: [PATCH] capabilities not inherited

From: Manfred Georg
Date: Wed Jun 08 2005 - 16:35:38 EST

Next message: Andrew Morton: "Re: System state too high for too long..."
Previous message: Andrew Morton: "Re: BUG in i2c_detach_client"
In reply to: Alexander Nyberg: "Re: [PATCH] capabilities not inherited"
Next in thread: Alexander Nyberg: "Re: [PATCH] capabilities not inherited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 8 Jun 2005, Alexander Nyberg wrote:

btw since the last discussion was about not changing the existing
interface and thus exposing security flaws, what about introducing
another prctrl that says maybe PRCTRL_ACROSS_EXECVE?

Wasn't the original inherited set supposed take care of that?

Any new user-space applications must understand the implications of
using it so it's safe in that aspect. Yes?

As far as I can tell, applying the patch from the earlier discussion
and setting the inherited set has the same, "I really meant to do this"
effect as what you propose.

(yeah it's rather silly since there already is an unused
keep_capabilities flag but that would change old interfaces so ok)

Isn't the keep_capabilities flag related to setuid() ? or did I miss
something.

Manfred
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: System state too high for too long..."
Previous message: Andrew Morton: "Re: BUG in i2c_detach_client"
In reply to: Alexander Nyberg: "Re: [PATCH] capabilities not inherited"
Next in thread: Alexander Nyberg: "Re: [PATCH] capabilities not inherited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]