Re: [PATCH] Capabilities, this time in elf section

Raul Miller (rdm@test.legislate.com)
Sat, 10 Apr 1999 20:50:51 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David L. Parsley: "Re: [PATCH] Capabilities, this time in elf section"
Previous message: Oleg Drokin: "Re: routing behaviour change between 2.2 and 2.0? Why?"

Alexander Viro <viro@math.psu.edu> wrote:
> There is a *completely* userspace solution for such things. Teach
> sudo which capabilities it should leave. That's it. 'ask admin to mark
> executable' == be included into sudoers with appropriate set of
> capabilities. sudo allows different behaviour basing on a command, host,
> user and arguments of said command. And it leaves audit trail. No need to
> touch the kernel at all - tool already exists, so why reinvent the wheel?

[1] At the moment, sudo doesn't have to know to look into elf headers
to restrict what the program can do. It probably never will get this,
because that's outside the design concept of sudo.

[2] Scripts which use existing privileged executables would have to
be rewritten. [Or, are you suggesting that all those executables
get replaced with shell scripts that call sudo? This raises some
efficiency issues, and more backwards compatability issues.]

-- Raul

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: David L. Parsley: "Re: [PATCH] Capabilities, this time in elf section"
Previous message: Oleg Drokin: "Re: routing behaviour change between 2.2 and 2.0? Why?"