This is allowed by all other trusted operating systems. Why not
trusted linux as well? And you're also forgetting about inheritable
capabilities. What if an ELF program calls a shell script that in
turn calls another ELF program. Do you just look at the privileges
ON the file? No you have to check the inheritable privileges of
the parent process as well.
I know this principle of least privilege is NEW to linux, but
it's a pretty well established technology. You would probably want to
leverage off of the concepts that other people and OSes have already
built.
Otherwise you dump a tried and true security model in preference of one
whose rules you are making up as you go along.
>
> If so, you might as well start by allowing setuid shell scripts.
> That was a massive security hole last I heard.
I don't think you've quite got the idea of capabilities yet. If you
did you wouldn't think that a shell script with capabilities is any
worse or better than an ELF program with capabilities. In fact,
in a capabilities/privilege based security model, setuid bit becomes
unnecessary unless you just want to do something as someone else (i.e.
you can override DAC file permissions with a capability, you don't have
to change user, AND the superuser uid 0 doesn't map to ALL capabilities,
so there's no reason to setuid to it.)
For what its worth, Capabilities is such a clunky word, privileges is
what everybody else calls
them. If you're only calling them that because Posix.6 does, you might
want to rethink
that idea. Or not ;-).
John
-- John Wojtowicz, Secure Systems Engineer jwojtowicz@tcs-sec.com Trusted Computer Solutions wojtowij@erols.com Herndon, VA 20171
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/