On Sat, 2 Nov 2002, Linus Torvalds wrote:
> However, I think there is a problem with Al's original approach: the bind
> can _not_ be just a mask that takes away capabilities from a suid
> application, since that would imply that the app has to be marked suid in
> the first place (and accessing it _without_ going through the bind will
> give it elevated privileges, which is what we're trying to avoid).
No, that's OK -
mount --bind /usr/bin/foo.real /usr/bin/foo.real
mount -o remount,nosuid /usr/bin/foo.real
or equivalent couple of mount(2) calls will do the trick nicely (and that,
BTW, we have right now - you can selectively disable/enable suid on files
and entire subtrees).
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Nov 07 2002 - 22:00:28 EST