Re: [RFC] Capabilities still can't be inherited by normal programs
From: Andy Lutomirski
Date: Mon Dec 10 2012 - 14:31:56 EST
On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler
<casey@xxxxxxxxxxxxxxxx> wrote:
> On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
>> I think that the Windows approach is worth looking at. See here:
>>
>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa375202%28v=vs.85%29.aspx
>>
>> In the Windows model, each capability ("privilege") can be in one of
>> three states: enabled (i.e working right now),
>
> Effective
>
>> permitted (i.e.
>> available upon request but not currently enabled),
>
> Permitted
>
>> or removed
>> (disallowed to this process and all of its children).
>
> ~Inherited
No. It's ~Inherited in a world where every binary has fI = everything.
>
>> Permitted
>> privileges are always inherited when a child process is created.
>>
>> This is *way* simpler than Linux's model, and it works just fine*.
>
> I see a different set of complications, and Windows never had
> a setuid bit to contend with. God created the universe in seven
> days, but then, He didn't have an installed base.
>
What are those complications?
Also, I think we really could get rid of setuid without breaking
anything with a bit of extra (non-capability-related) plumbing work.
--Andy
--
Andy Lutomirski
AMA Capital Management, LLC
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/