Re: Modifying kernel so that non-root users have some root capabilities

From: Bill Davidsen
Date: Tue May 25 2004 - 16:14:17 EST

Next message: Andrew Morton: "Re: 4g/4g for 2.6.6"
Previous message: Bill Davidsen: "Re: 4g/4g for 2.6.6"
In reply to: Laughlin, Joseph V: "RE: Modifying kernel so that non-root users have some root capabilities"
Next in thread: Roger Larsson: "Re: Modifying kernel so that non-root users have some root capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Laughlin, Joseph V wrote:

-----Original Message-----
From: Bill Davidsen [mailto:davidsen@xxxxxxx] Sent: Tuesday, May 25, 2004 11:14 AM
To: root@xxxxxxxxxxxxxxxxxx
Cc: Laughlin, Joseph V; linux-kernel@xxxxxxxxxxxxxxx
Subject: Re: Modifying kernel so that non-root users have some root capabilities

Richard B. Johnson wrote:

On Mon, 24 May 2004, Laughlin, Joseph V wrote:

(not sure if this is a duplicate or not.. Apologies in advance.)

I've been tasked with modifying a 2.4 kernel so that a

non-root user

can do the following:

Dynamically change the priorities of processes (up and down) Lock processes in memory Can change process cpu affinity

Anyone got any ideas about how I could start doing this?

(I'm new to

kernel development, btw.)

Thanks,

You don't modify an operating system to do that!! You just make a priviliged program (setuid) that does the things you want.

Dick, it's called capabilities, and people have already modified the operating system to do that, it just doesn't work quite as intended in some cases. Setuid is the keys to the kingdom, you really don't want to use setuid root unless there's no other way.

Remember when everything used to take the BKL? Then people saw a better way. Capabilities is the same kind of progression, save the big hammer for the big nail.

In what cases does changing the capabilities not have the intended
effects?

Don't read that as "existing capabilities don't work," but as "capabilities don't exist for all the things people claim they need setuid root to do." The whole concept of capabilities was going to reduce the need and demand for setuid, and hopefully allow setuid to vanish in secure systems.

Either through lack of all the necessary bits, or lack of expertise using them the goal of reduction in demand and use for setuid seems not to have been met. I would argue that lack of need has been met, but careful thought seems needed to do some things without setuid.

--
-bill davidsen (davidsen@xxxxxxx)
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: 4g/4g for 2.6.6"
Previous message: Bill Davidsen: "Re: 4g/4g for 2.6.6"
In reply to: Laughlin, Joseph V: "RE: Modifying kernel so that non-root users have some root capabilities"
Next in thread: Roger Larsson: "Re: Modifying kernel so that non-root users have some root capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]