3. Remember that unlike ext2-level checks there will be no way for the
kernel to prevent the owner of the file from changing its capabilities.
Obviously it would refuse to honor them for non-suid-root files but
what about protecting from root? This works against the division-of-root
concept of capabilities. I'm not familiar enough with the eventual
direction of the capabilities stuff and how it will interface with
the traditional uid=0 to say whether this is bad or not. Make sure
that there aren't any security implications with allowing uid=0 to
implicitly set any capability on any binary, regardless of what
capabilities are currently in effect.
The whole point is to remove uid=0 from having any special meaning,
unless the system administrator wants to configure their machine to be
compatible with other Unix systems (in which case the machine will be as
insecure as other Unix systems).
So eventually, uid=0 will have no special meaning. The whole point in
adding capaibility support is to allow programs and users have exactly
the privileges they need to get the job done, no more. That means that
most programs/users will *not* be allowed to set capabilities on
binaries, for the obvious security reasons.
Credit the people who designed the system with a little sense. :-)
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu