Re: [RFC] [PATCH] file posix capabilities

From: Joshua Brindle
Date: Thu Aug 17 2006 - 07:58:33 EST

Stephen Smalley wrote:
On Tue, 2006-08-15 at 21:42 -0500, Serge E. Hallyn wrote:
Very good point. Preventing communication channels i.e. through signals
isn't a concern, but user hallyn ptracing himself running /bin/passwd
certainly is.

Actually, ptrace already performs a capability comparison (cap_ptrace).
Wrt signals, it wasn't the communication channel that concerned me but
the ability to interfere with the operation of a process running in the
same uid but different capabilities, like stopping it at a critical
point. Likewise with many other task hooks - you wouldn't want to be
able to depress the priority of a process running with greater

On this point, what about environment tampering of processes with caps? /usr/bin/passwd. glibc atsecure logic would have to be updated to do a capability comparison.

One other point to consider is Solaris seems to have diverged from their
own past approaches for privileges/capabilities,

Doesn't sound like they are even using file capabilities at all.

Also, think about the real benefits of capabilities, at least as defined
in Linux. The coarse granularity and the lack of any per-object support
is a fairly significant deficiency there that is much better handled via
TE. At least some of the Linux capabilities lend themselves to easy
privilege escalation to gaining other capabilities or effectively
bypassing them
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at