Re: [patch 2.1.97] more capabilities support

Alexander Kjeldaas (astor@guardian.no)
Sun, 19 Apr 1998 19:28:22 +0200

On Sun, Apr 19, 1998 at 12:58:29PM -0400, Albert D. Cahalan wrote:
>
> Subject Capability Sets
>
> All Capability Sets on subjects are used to establish operational
> privileges for users, roles, and their applications. Every subject
> in DSO software has four capability sets placed on them:
>
> * an Effective Set that governs what the person and applications
> acting for them are allowed to do
>
> * a Permitted Set which limits the capabilities that may be
> in the Effective Set
>
> * an Inheritable Set that controls which capabilities can be passed on
>
> * a Bounding Set that serves as a fail-safe mechanism to ensure users
> cannot acquire more privilege beyond what they have been authorized
>

Yes, this has been mentioned. However I'm not sure it's needed. _At
least_ not before we have a capabilities-aware file system. Currently
we can't force new capabilities on a process unless done by some
"capability-daemon" so a bounding set adds nothing but complexity. I
don't like adding complexity unless it is _really_ needed.

> We seem to be missing the bounding set.
>
> It would seem that totally conflicting capability sets would prevent
> an executable from being run, since it would be dangerous to have a
> privileged executable run with only half of what it needs.

Yes, but we currently don't have any way of checking this since we
don't know the "allowed" set of the program we want to execute. This
check is only possible to do with file system support for
capabilities.

astor

-- 
 Alexander Kjeldaas, Guardian Networks AS, Trondheim, Norway
 http://www.guardian.no/


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu