>> It is not a showstopper. Your capabilities do NOT prevent you from
>> trojan horses. If you run program with uid=0, it does not need any
>> special privileges to screw you up. [Hint: who is owner of /etc/passwd?]
>
> Then don't run programs setuid root! This is why using setuid root as
> the method for marking that a file has capabilities is a complete
> non-starter, as we have discussed before.
Clearly you have missed a large chunk of the discussion.
The file gets marked setuid-root, but only runs setuid-root as an option.
The setuid-root setting is only required to indicate trust.
magic kernel effect
----- ------ --------------------------
ELF old setuid-root
ELF new as specified in the header
FLE old will not run
FLE new as specified in the header
If there is a real need to let enhanced executables run without privileges
on an obsolete kernel, there might be an ext2 flag solution for local files.
One could also _optionally_ trust the sticky bit on a read-only NFS mount.
Please read http://www.cs.uml.edu/~acahalan/linux/cap.txt if you haven't
already. I'd like to have some comments on the proposal.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/