Re: Capabilities under Linux

Horst von Brand (vonbrand@inf.utfsm.cl)
Wed, 21 Apr 1999 15:55:04 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alejandro Montiel: "Problem compiling 2.2.0"
Previous message: Brian Ristuccia: "Re: de4x5 hangs aic7xxx, tulip misses port on multiport card"
Maybe in reply to: Riley Williams: "Capabilities under Linux"

Riley Williams <rhw@bigfoot.com> said:

[...]

> I believe this is where we have been confusing each other: You appear
> to believe that all capabilities are security related, and I believe
> that whilst there are many capabilities that are security related,
> other capabilities can and should be defined to help optimise the use
> of the system. It is some of the capabilities in this latter group
> that I am referring to in the above, as quite clearly many (but not
> all) security related capabilities do not belong there.

Capabilities is about permissions do do things: A capability is a key to
some resource that can _only_ be used by processes that own that
capability.

If what you understand under capability is something different, then yes,
we are talking different kettle of fish.

> In addition, I believe that security-related capabilities of the "I do
> NOT require..." variety can safely be placed in the file since they
> can only REDUCE the abilities of the file, and it is only capabilities
> of the "I additionally require..." variety that can not safely be put
> in there.

Capabilities (see above) are exactly the kind of "I am allowed to..." that
you exclude here. So we were agreeing all along?!

[...]

> > Whenever specific capabilities are needed to do a job the
> > instinctive reaction of any Unix sysadmin is "root". You have to
> > think almighty root away, suddenly things look _very_ different.
>
> No cop-outs please!!!
>
> The instinctive reaction of any NOVICE Unix sysadmin (which all too
> many are) is indeed "root", but for you to automatically assume that
> everybody you converse with falls into that class and you're the only
> one who doesn't is a far worse cop-out than the one you offered above.

Perhaps you don't, but for me (with some 15+ years Unix admin) it _still_
is automatic (or almost).

-- Dr. Horst H. von Brand mailto:vonbrand@inf.utfsm.cl Departamento de Informatica Fono: +56 32 654431 Universidad Tecnica Federico Santa Maria +56 32 654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Alejandro Montiel: "Problem compiling 2.2.0"
Previous message: Brian Ristuccia: "Re: de4x5 hangs aic7xxx, tulip misses port on multiport card"
Maybe in reply to: Riley Williams: "Capabilities under Linux"