Hi all,
I think the capabilities bounding set has a little weakness. Indeed, it
is said that it can limit even superuser actions, but, as the cap_bset
variable is exported, it is really easy to set it as you want through
/dev/kmem.
If it was not exported, it would have been really more difficult to find
its location. So I first thought about exporting a twin variable
(cap_bset_2, the come back :)) that is updated each time the real internal
one is modified.
But it may be better to add a CAP_KMEM or sth like that to prevent anybody
from writing /dev/kmem, even if it is also possible to write through
/dev/mem, but protecting /dev/mem break a lot of apps (like X). Maybe a
CAP_MEM for those who don't use X would be fine also.
Am I all right ?
regards,
Phil.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Jan 07 2000 - 21:00:05 EST