Re: [PATCH] [request for inclusion] Realtime LSM

From: Chris Wright
Date: Fri Jan 07 2005 - 12:52:33 EST

Next message: Chris Friesen: "Re: Make pipe data structure be a circular list of pages, ratherthan"
Previous message: Greg KH: "Re: [patch 2.6.10] ehci "hc died" on startup (chip bug workaround)"
In reply to: Martin Mares: "Re: [PATCH] [request for inclusion] Realtime LSM"
Next in thread: Jack O'Quin: "Re: [PATCH] [request for inclusion] Realtime LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Martin Mares (mj@xxxxxx) wrote:
> Hello!
>
> > Yes, SETPCAP became a gaping security hole. Recall the sendmail hole.
>
> Hmmm, I don't remember now, could you give me some pointer, please?

Sure, the Wagner/Chen paper on setuid demystified has some references to
it IIRC. http://www.cs.ucdavis.edu/~hchen/paper/usenix02.ps

> > This won't work, you can't increase the bset, which is hardcoded to
> > leave out SETPCAP. Also, init is hard coded to start without SETPCAP.
>
> If I read the source correctly, init is allowed to increase the bset,
> the other processes aren't.

Yes, you're right I forgot about that.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Friesen: "Re: Make pipe data structure be a circular list of pages, ratherthan"
Previous message: Greg KH: "Re: [patch 2.6.10] ehci "hc died" on startup (chip bug workaround)"
In reply to: Martin Mares: "Re: [PATCH] [request for inclusion] Realtime LSM"
Next in thread: Jack O'Quin: "Re: [PATCH] [request for inclusion] Realtime LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]