Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs

From: Linus Torvalds
Date: Fri Jan 13 2012 - 16:13:35 EST

Next message: Sylwester Nawrocki: "Re: [RFC PATCH v2 6/8] media: v4l2: introduce two IOCTLs for objectdetection"
Previous message: David Miller: "Re: [PATCH] rds_rdma: don't assume infiniband device is PCI"
In reply to: Eric Paris: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Next in thread: Jamie Lokier: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 13, 2012 at 12:13 PM, Eric Paris <eparis@xxxxxxxxxx> wrote:
>
> So you can't drop capabilities(7)? If you come in with permission you
> can't get rid of it? Ouch.

I really don't understand why people get confused about this.

No, you can't drop capabilities. You're in a sandbox, the whole point
is that you're running untrusted code, you had better not *have* any
capabilities that you worry about dropping.

The whole "drop capabilities" is a red herring. If you think you need
it, you're doing something wrong.

Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Sylwester Nawrocki: "Re: [RFC PATCH v2 6/8] media: v4l2: introduce two IOCTLs for objectdetection"
Previous message: David Miller: "Re: [PATCH] rds_rdma: don't assume infiniband device is PCI"
In reply to: Eric Paris: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Next in thread: Jamie Lokier: "Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve fromgranting privs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]