On Sat, 2 Nov 2002, Oliver Xymoron wrote:
> # mv ping ping.real
> # chmod -s ping.real
> # mkcapwrap +net_raw ping.real
> # chmod +s ping
> # showcapwrap ping
> invokes /bin/ping
> grants net_raw
> #
Do you mean?
# mv ping ping.real
# chmod -s ping.real
# mkcapwrap +net_raw ping
# chmod +s ping
# showcapwrap ping
invokes /bin/ping.real
grants net_raw
#
The wrapper needs to setuid/gid to the uid/gid that invokes it.
uid root with no caps (or few caps) is still very powerful (replace
binaries owned by root, read /etc/shadow, etc).
Currently all capabilities are cleared when non-root app does a execp.
This would need to be addressed.
Dax
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Nov 07 2002 - 22:00:28 EST