Re: Capabilities done right [diff against 2.3.1]
Albert D. Cahalan (acahalan@cs.uml.edu)
Sun, 16 May 1999 02:25:56 -0400 (EDT)
Linus Torvalds writes:
> On Fri, 14 May 1999, Pavel Machek wrote:
>
>> Next try with capabilities, this time against 2.3.1. Patch is completely
>> safe and should significantly enhance system security. It is completely
>> backward compatible: ie. no semantics change. Capabilities are
>> implemented using elf notes (and this version parses notes correctly).
>> Software exists for adding capabilities at runtime, so you don't even
>> require a recompile.
>
> I'm not entirely convinced. The thing with ELF notes is that they only
> work with ELF. That may sound obvious, and it is, but it makes me wonder
> whether it's the right way at all.
>
> I suspect that it would be cleaner to have capabilities be a name-space
> issue rather than an inode issue. For example, the one thing I've always
> wanted to do with symlinks is to have symlinks that can change the
> privileges of the lookup - it's complex and maybe not a good idea, but
> it's a more intriguing concept and works with shellscripts and other
> systems where you can't add ELF notes..
You want to allow shellscripts with special powers?!?!?
If so, you might as well start by allowing setuid shell scripts.
That was a massive security hole last I heard.
Considering other formats: a.out is obsolete and newer formats will
not be less powerful than ELF.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/