Re: updated proposal for cap in elf

Y2K (y2k@y2ker.com)
Fri, 16 Apr 1999 18:11:28 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jamie Lokier: "Re: bad lmbench numbers for mmap"
Previous message: David Miller: "Re: bad lmbench numbers for mmap"

On Fri, 16 Apr 1999, David L. Parsley (lkml account) wrote:
> Finally, I also suggest a small change in the capability semantics.
> Currently, files have a capability set fE, which are the effective bits
> which immediately get raised for the file. Andrej Presern noted, and I
> agree, that this does nothing to enhance security, since an exploit can
You are right it is for compatibility reasons only and I think still
potentialy useful. A dumb could have that permission turned off so it
could not accidently use it but it could be turned on for someone else.
Smart programs should have it set to 0, dumb should be some subset of the
permisible including maybe the null set.
> trivially raise all effective bits; they might as well be raised on
> execution for all current tools. Note that for capability-aware
Most are too dumb to raise, only smart ones can and should raise as
needed.
> applications, the process effective set pE can still be useful to insure
> an operation doesn't have side effects; so I'm leaving the behavior of pE
> alone.
>
> I'm suggesting that fE be redefined as fM, an 'inheritable Mask', which
> will drop inheritable bits in the process being exec'ed. The effect of
> this is to cause certain (or all) inheritance to 'dead-end' during this
> exec. When considering design of a secure distribution, I thought this
> would be a useful feature.
fE is basicly not fM, I think the formula should be:
pI' = pI
pP' = fP | ( fI & pI & pP)
pE' = fE & pP'
How exactly would you fit fE into the formulas that would improve these
equations?
If I understand you correctly you want
pE' = (!fM) & pP'
which gains you nothing. either way stuff dead-ends.
I did kind of like someones idea for f_min
so that if (f_min != (f_min&pE') then EPERM
Used very sparingly f_min might be good.
Without elf I beleive the defaults should be:
fE=pP, fI=pI, fP=0, f_min=0
in untrusted elf headers (not marked with suid or sticky or whatever):
pI' = pI
pP' = fI & pI & pP
pE' = fE & pP'

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jamie Lokier: "Re: bad lmbench numbers for mmap"
Previous message: David Miller: "Re: bad lmbench numbers for mmap"