I'm not. I'm adding possibility for executable to drop some of its
privileges. This is obviously safe. Loosing priviledges should be safe
modulo broken programs which do not do proper error handling.
It's certainly true that this is safe; I just get frustrated when people
claim this has anything near the power of the full POSIX capabilities
model.
However, an obvious question to ask at this point is why do it by
hacking the ELF header? It's probably much simpler to have the
executable explicitly drop capabilities by making an appropriate system
call in the executable itself. This has the advantage that the kernel
doesn't have to try to parse through the ELF sections looking for the
capabilities-to-drop information, and possibily modifying ELF sections
as well, which adds a *lot* of complexity.
So this would be a very simple model where you just have a setuid root
program, and it could simply drop some or all of its
privileges/capabilities at any point in its execution --- perhaps at the
beginning, perhaps later on in the execution of the program, etc. It's
more flexible and simpler than the setuid-root-and-use-ELF approach.
If people are looking for a short term hack, this is it. It doesn't
require making any changes to the kernel, or any changes to any
user-land administrative tools, nor do we need to teach administrators
how to set these magic bits in the ELF headers. All we have to do is
add the code into the daemons themselves. It doesn't give you the power
of the full POSIX capabilities model, but it is better than nothing;
it's simple, and it won't break things in the future if and when we
finally get around to implementing the full POSIX capabilities model.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/