On Thu, 1 Apr 1999 22:44:20 -0500 (EST), "Albert D. Cahalan"
<acahalan@cs.uml.edu> said:
> Assuming you don't allow world-writable setuid executables...
> Who can edit the file? root
> What runs as root? nothing at all
No: in the capabilities world, you _still_ want setuid. You may want
lpd/lpr etc to be suid to the lp daemon account. You may want bind to
be suid to its own account. Having large numbers of system daemon
accounts each with limited access to data files is one of the prime
mechanisms for reducing the scope of granted privileges, and suid/sgid
is the main mechanism for crossing those security domains.
You want to be able to give an executable both suid rights to a given
uid, _plus_ capabilities. You can't overload the suid-root operator to
mean "trust the binary's capabilities segment" without sacrificing some
of the power you want from a capabilities system.
--Stephen
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/