> Horst von Brand writes:
> > Richard Gooch <email@example.com> said:
> > The whole idea of capabilities is to get rid of all-powerful users, to
> > split the root powers among several people where _nobody_ has all
> > powers. Any scheme that keeps a root of some sort is broken.
> Whoever can grant caps is in effect all-powerful.
Sure, but this need not be tied to a given uid; heck, in a proper
capabilities-based system, this can _only_ be done, say, by logging in at
the console and supplying two or three passwords.
> > > Capabilities are a good thing, as they give more flexibility. But
> > > there simply is no need to cripple root.
> > Then give root all capabilities. "To cripple root", as you call it, is not
> > _needed_, but it is essential to be _able to do it_, else you can get just
> > a fraction of the security benefits out of this scheme.
> What exactly do you see as the benefits of a crippled root? Compare
> that with a system where there is no root account, but euid=0 means
> all caps to the kernel. What are the real benefits?
You don't want the kernel to interpret _any_ uid as all-powerful. Rather,
CAP_SETFCAP is the all-powerful capability, which may be two separate
uid's can obtain after a complex authentication scheme.
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to firstname.lastname@example.org
> Please read the FAQ at http://www.tux.org/lkml/
David L. Parsley
City of Salem Schools
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to email@example.com
Please read the FAQ at http://www.tux.org/lkml/