Re: [PATCH] capabilities not inherited

[Chris Wright]

* Manfred Georg (mgeorg@xxxxxxxxxxxxx) wrote:
> 
> On Wed, 8 Jun 2005, Alexander Nyberg wrote:
> >btw since the last discussion was about not changing the existing
> >interface and thus exposing security flaws, what about introducing
> >another prctrl that says maybe PRCTRL_ACROSS_EXECVE?
> 
> Wasn't the original inherited set supposed take care of that?

The filesystem part was quite integral to the original intent.

> >Any new user-space applications must understand the implications of
> >using it so it's safe in that aspect. Yes?
> 
> As far as I can tell, applying the patch from the earlier discussion
> and setting the inherited set has the same, "I really meant to do this"
> effect as what you propose.
> 
> >(yeah it's rather silly since there already is an unused
> >keep_capabilities flag but that would change old interfaces so ok)
> 
> Isn't the keep_capabilities flag related to setuid() ? or did I miss
> something.

Yes, it is, but it's tempting to reuse to really keep them. I think
that's the point.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/