Re: Capabilities done right [diff against 2.3.1]

Horst von Brand (vonbrand@sleipnir.valparaiso.cl)
Thu, 20 May 1999 01:06:11 -0400


Pavel Machek <pavel@bug.ucw.cz> said:

[...]

> Linus asked how do shellscripts _drop_ power. For shellscripts run
> nightly from cron it is very good idea to drop some of their
> capabilities. So no, I do not want default shell suid0.

To be able to do that, they have to have extra capabilities in the first
place. And under a reasonable capability system they won't unless
specifically granted to them, not just by being run by root or something
like that.

> But take a look at sperl, they obviously have suid0 interpretter, and
> if you wanted possibility for setuid shell scripts, making setuid
> version of bash (of course aware of situation - like sperl is) would
> be the way.

This means placing unrestricted power at the disposal of whoever cracks
sperl or sbash or..., and as these are (by their very nature) complex
programs, this is likely to happen. If the capabilities are granted to the
process running the interpreter that is running the script, the interpreter
itself isn't a vulnerability except through a capable script (which is
pointless for an attacker).

-- 
Horst von Brand                             vonbrand@sleipnir.valparaiso.cl
Casilla 9G, Viņa del Mar, Chile                               +56 32 672616

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/