>> 1. Put capabilities information in the executable header.
>> 2. Mark the executable setuid root.
>> 3. Have the kernel check for #1 if #2, and prefer #1 if present.
>
> That confuses everyones security scripts. It makes the binary run as root
> on an older system, so if you downgrade you get a massive security hole
You have that backwards.
If you add capabilities information in the filesystem, all your existing
security scripts will FAIL to detect privileged executables. That is bad.
The presence of a setuid bit will be detected by older scripts.
If you downgrade the kernel, you need to have the binary run as root.
Anything else would give you a broken system. Executables with
capabilities need to be just as secure as setuid executables anyway,
since they grant privilege when run. Kernels that support capabilities
(in the header or otherwise) would only contain the damage a bit.
So the executable header method is actually a bit more secure when
running a new kernel with old scripts (likely), and it still works
in a normal setuid manner with an older kernel.
Then remember compatibility with archives, fsck, NFS, old ext2 drivers...
The header solution is just less complicated and more reliable.
(those being important qualities for a security feature)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/