Re: patch to make Linux capabilities into something useful (v 0.3.1)

[Pavel Machek]

Hi!

> > > How about another gid, then?  Should we reset all caps on sgid exec?
> > 
> > Yes. Any setuid/setgid exec is a security barrier, and weird (or new)
> > semantics may not cross that barrier.
> 
> Right, so what I was saying was: if you reset all regular caps on sgid
> exec, anyone can trivially reset all regular caps by creating a sgid
> program (users are always members of a great many groups so "finding
> another gid to hijack" is trivial).  So CAP_REG_SXID needs to be off
> all the time, so we lose again.
> 
> But I'll make this a securebit ("unsanitized sxid"), with the behavior
> you advertise as default (0).

I'm not sure if fundamental security semantics should be optional, but
it is certainly better than before.

> > > Ultimately a compromise is to be reached between security and
> > > flexibility...  The problem is, I don't know who should make the
> > > decision.
> > 
> > Go for security here. (Normally, consensus on the list is needed for
> > merging the patch).
> 
> I am now completely convinced the patch will never be merged. :-(
> Linux will have useless caps forever...

Well, merging the patches is not that hard.

tytso actually shown a clever way: add per-filesystem 'default
capability masks'. That should be fairly easy to merge, and
automatically back-compatible.

(And it would get tou semantics you wanted in inheritance area,
right?)
							Pavel
-- 
Thanks for all the (sleeping) penguins.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/