> One of the critical things about the capability model is the movement
> away from having executables spontaneously acquire privilege by simply
> being invoked.
> This is one of the main problems with the historical suid model: a
> program gets all the power when it starts up. There are frequently
> new attacks on programs that exploit such a feature. Passing command
> line arguments that overflow a stack comes to mind...
> The capability model is designed to change this. The recommended
> behavior for an executable on a fully capability-aware system is to
> not raise "effective" capabilities on startup. Since, without them, it
> has no immediate power. In order to become powerful, it needs to
> request that one or more of its permitted capabilities be made
> effective, with a system call.
That's absolutely no use. If I can subvert your capability-aware process to
do anything, I can subvert it with _my_ code that grabs the capabilities
later. Messier, a bit harder to do. But exactly the same problem as before.
-- Dr. Horst H. von Brand mailto:email@example.com Departamento de Informatica Fono: +56 32 654431 Universidad Tecnica Federico Santa Maria +56 32 654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to firstname.lastname@example.org