Re: [PATCH] 2.6.0-test6: Filesystem capabilities 0.15

[Andy Lutomirski]

Olaf Dietsche wrote:

>  This *untested* patch implements filesystem capabilities. It allows
>  to run privileged executables without the need for suid root.
>
>  Changes: - updated to 2.6.0-test6 - added lscap to show fs caps for a
>  particular file
>
>  This patch is available at:
>  <http://www.olafdietsche.de/linux/capability/>

I have an alternate patch, implementing file capabilities using xattrs.  
It also implements the
exec changes I proposed a few days back, but this time around it's a 
config option.  Note that
this patch is very non-intrusive.  The user API is through setxattr and 
friends, and the changes
to any filesystem to support this patch are minimal (add the 
system.capabilities xattr and
validate its contents on setxattr).

The patch and user tools are at http://www.stanford.edu/~luto/linux-fscap/
(Apply the cap- patches in order.  Patches are against 2.6.0-test6 vanilla.)

Olaf -- what do you think?  (I like your CAP_SETFCAP addition -- I may 
add it to my patch.
Currently anyone can chcap their own files, as long as they hold the 
capabilities they want
to permit.)

Example:
$ su
# cp `which ping` myping
# chmod 755 myping
# chcap cap_net_raw+p myping
# exit
$ ./myping localhost

-- Andy Lutomirski

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/