[...]
> > Hmm? Are you suggesting file access permissions should depend on the
> > contents of the file? I thought one of the leading design principles of
> > Unix was that the kernel treats files as an unstructured stream of
> > bytes, and that imposing some kind of structure (records etc) on files
> > is done entirely in user space.
> > Before you all start screaming that this isn't true: Yes, *of course*
> > the kernel knows about the ELF format, but this knowledge is restricted
> > to when the structure has some significance to the kernel -- when it is
> > about to exec a binary. You seem to be proposing that also the file
> > system code should be parsing arbitrary files to see if they can be
> > written to or not.
> I don't see the problem. A suid-root binary is immutable for everyone
> but root. Only root can grant capabilities. If some user is allowed to
> create binaries with privileged port access, then they just need to
> run a privileged binary which adds CAP_PORT to the binary.
There are problems:
- There is no "root" in a capability system, you have to get rid of
"privileged users" completely. Better do it right the first time around
rather than "fix" it by a endless series of ever hairier patches
- The idea of keeping capabilities in the file itself invites capability
smuggling, better if programs that don't know about capabilities can't
handle them at all: No dumb tar(1), no hexeditor, no cp(1), ...
- This is a ELF-only kludge. What about a Web server written in Perl? CGIs
written in Java that need extra privileges?
-- Dr. Horst H. von Brand mailto:vonbrand@inf.utfsm.cl Departamento de Informatica Fono: +56 32 654431 Universidad Tecnica Federico Santa Maria +56 32 654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/