Re: [patch 2.1.97] more capabilities support

Linus Torvalds (torvalds@transmeta.com)
Sun, 19 Apr 1998 14:50:52 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jens Glaser: "ISSUE: Oops after switching from 2.0.32 to 2.1.97"
Previous message: kwrohrer@enteract.com: "Re: My memory is rusty"
In reply to: Andrew Morgan: "Re: [patch 2.1.97] more capabilities support"

On Sun, 19 Apr 1998, Andrew Morgan wrote:
>
> I have just copied the names out of the POSIX draft (section 25.1.1.3).

Without looking into the patch further, I do want to warn you that this is
one fairly certain way to not get things accepted into the kernel.

This is not a POSIX thing or anything like that: I intensely dislike the
notion of "copying from standards". It's a certain way to madness, and I
much prefer if people think a bit first.

For example, the POSIX standard is an API standard. As such, it lists data
structures and functions that the _user_ sees. Anybody who blindly copies
such things into kernel space is just asking for trouble. I ask that
people think about the deeper meaning of things and _not_ necessarily just
copy interfaces.

One good example of this is threading. Yes, I could have sat down with a
spec of POSIX threads, and I could have implemented that interface
directly in the kernel. But the point is that threading really is a
_concept_, and I want to make sure that the kernel gets the _concepts_
right. The API is just an implementation detail of a much larger picture.

With respect to capabilities, I don't ever want to see patches that don't
have the whole picture. And quite frankly, going by past experience, the
POSIX committee has never had a big picture in their life (which is ok:
the POSIX standard wasn't about "getting the big picture", it was
expressly about very small pictures indeed. But it does imply that POSIX
is not a good guide to kernel internals).

Also Morgan, you mentioned that you want to get rid of the capability to
set capabilities because you worry that it is a security risk. Sorry, but
that's the kind of prison mentality that I refuse to have in the kernel.
In my very strong opinion, the kernel should _allow_ things, and never
restrict things.

As such, we should _allow_ the capability to raise other capabilities. If
you don't like that capability, you can just make sure that it is cleared
at boot for everybody, and then nobody can inherit it and nobody can ever
get it any other way either (as nobody has the capability to raise the
capability).

The whole UNIX philosophy is to give the user a powerful tool. Yes, giving
people such a tool does imply that people can hurt themselves. But I'd
still prefer to be given the choice, instead of getting the "yes, dear,
these are the safe and approved interfaces, and if you don't like them,
tough, you're stuck with them" mentality.

Linus

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu

Next message: Jens Glaser: "ISSUE: Oops after switching from 2.0.32 to 2.1.97"
Previous message: kwrohrer@enteract.com: "Re: My memory is rusty"
In reply to: Andrew Morgan: "Re: [patch 2.1.97] more capabilities support"