Re: [PATCH] disallow modular capabilities

From: Andi Kleen
Date: Sun Jan 02 2005 - 15:48:44 EST

Next message: Adrian Bunk: "Re: the umount() saga for regular linux desktop users"
Previous message: William Lee Irwin III: "Re: starting with 2.7"
In reply to: Christoph Hellwig: "Re: [PATCH] disallow modular capabilities"
Next in thread: David Meybohm: "Re: [PATCH] disallow modular capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Christoph Hellwig <hch@xxxxxx> writes:

> On Sun, Jan 02, 2005 at 09:28:00PM +0100, Andi Kleen wrote:
>> Christoph Hellwig <hch@xxxxxx> writes:
>>
>> > There's been a bugtraq report about a root exploit with modular
>> > capabilities LSM support out for more than a week.
>>
>> It was a root exploit only triggerable by root. Not exactly
>> what I would call a real problem.
>
> At least Debian currently inserts the capabilities module on boot.

That is fine as long as they control all code executed before
that module loading. And if they do not it is their own fault
and they have to fix that in user space or compile the capability in.
Unix policy is to not stop root from doing stupid things because
that would also stop him from doing clever things.

-Anddi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Adrian Bunk: "Re: the umount() saga for regular linux desktop users"
Previous message: William Lee Irwin III: "Re: starting with 2.7"
In reply to: Christoph Hellwig: "Re: [PATCH] disallow modular capabilities"
Next in thread: David Meybohm: "Re: [PATCH] disallow modular capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]