Hi!
> new PIE=(all,0,all) - which means any executed programs will default
> to inheriting *no priviledges* from the suid program.
> This is *DESIRABLE*. For privileges to be propagated,
> The SUID program would have to explicitly set
> its Inheritable set. This means the default is
> to not propagate. This is a 'good' thing. Exec'ing
> a shell out of a SUID program through a buffer
> exploit will default to a capset of (0,0,0) in the
> shell. Seems, at least, moderately useful...
So what? I can not execute setuid shell, but I can freely do anything
I could do with the shell. I'll add myself to
~root/.ssh/authorized_keys instead of running root shell. This is
called security by obscurity.
(Still it can be a little bit usefull.)
Pavel
-- I'm pavel@ucw.cz. "In my country we have almost anarchy and I don't care." Panos Katsaloulis describing me w.r.t. patents me at discuss@linmodems.org- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed May 31 2000 - 21:00:28 EST