On Sun, 27 Feb 2000, Pavel Machek wrote:
>
> > The POSIX model leads to the modification of all of our file
> > systems, a lot of the user space utilities, and a BIG change in
> > how system administrators perform system inspection. We've already
> > hashed in the list the issues with find(1),tar(1),cpio(1) and other
> > utilities, but I think that's just the tip of the iceberg.
>
> No. You expand file that is
>
> user.group
> 123.456 setgid
>
> by tar. Right? But 456 happens to be root on your system, while it was
> bind-low-port priviledge on system you got tarball from. You still
> need to modify tar, sorry.
Pavel, what are you talking about?
On a POSIX-model capabilities system, uid=123 has NO SPECIAL MEANING.
gid=456 has NO SPECIAL MEANING. UIDs and GIDs are ONLY meaningful in
checking access permissions of files (read, write, execute).
"Bind-low-port" is not a property of a UID or GID. It is a property of
either a FILE (a program-in-storage) or of a TASK (a
program-in-execution).
A program can aquire the "bind-low-port" either by having that cap set in
its "fP" set, or by acquiring it explicitly through the cap_set_proc()
interface.
And there is no such thing as root (TINSTAR), unless it is Robert Oot's
login name. uid 0 is, from a security and capabilities standpoint,
no different than uid 16053.
If your program wants bind-low-port, then either the administrative system
(with CAP_SETFCAP) needs to set the appropriate bit in the file's fP set,
or the program itself needs to call cap_set_proc(), the results of which
are determined by an anal-retenetive access control system.
Adam
-- Adam D. Bradley -- artdodge@cs.bu.edu -- BU x3-8921 MCS211 -- <>< --
"Listen, strange women lying in ponds distributing // www.adbp.org
swords is no basis for a system of government!" // crosspath.org
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Feb 29 2000 - 21:00:22 EST