On Sat, 2 Nov 2002, Alexander Viro wrote:
>
> No, that's OK -
>
> mount --bind /usr/bin/foo.real /usr/bin/foo.real
> mount -o remount,nosuid /usr/bin/foo.real
Ehh. With the nosuid mount that will remove the effectiveness of the suid
bit (not just the user change - it will also mask off the elevation of the
capabilities), so the bind-mount with the capability mask will now mask
off nothing to start with.
Wouldn't it be much nicer to have:
/usr/bin/foo - no suid bits, no capabilities by default
mount --bind --capability=xx,yy /usr/bin/foo /usr/bin/foo
where the mount actually adds capabilities? Looks more understandable to
me.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Nov 07 2002 - 22:00:28 EST