>>>>> ...and works only for some types of files (how about a
>>>>> webserver written in Perl?).
>> {Shrug} Perhaps somebody can suggest some way that capabilities
>> can have meaning for a script, any script if it comes to that?
> A script in Unix is just another random way to write a program
> that does what I want. Nothing special there. Note that today's
> scripts are (almost) undistinguishable from binary, compiled
> programs: They may carry the same permissions (execute
> permissions for whom, even S[UG]ID bits (not on all Unices, but
> several honor them)).
Ask BugTrax about that - of the unices I've met, those that honour
S[UG]ID bits on scripts are the ones that have the most security
holes, and I believe the two facts are connected.
> If some scheme can't do the same (at least in principle) for
> capabilities, it is fundamentally flawed.
Turn that round: If it CAN do the same, then it's a serious security
risk that should be closed up.
> No "all capable" interpreter should be needed, as this is a
> _huge_ security risk, the kernel might as well endow this
> particular process with the requested capabilities, and nothing
> else.
No "all capable" interpreter should exist for the simple reason that
having either it or a script with EXTRA capabilities is a serious
security risk that needs to be closed up.
Best wishes from Riley.
+----------------------------------------------------------------------+
| There is something frustrating about the quality and speed of Linux |
| development, ie., the quality is too high and the speed is too high, |
| in other words, I can implement this XXXX feature, but I bet someone |
| else has already done so and is just about to release their patch. |
+----------------------------------------------------------------------+
* ftp://ftp.MemAlpha.cx/pub/rhw/Linux
* http://www.MemAlpha.cx/kernel.versions.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/