Re: file effective and process inheritable mask

Y2K (
Sun, 25 Apr 1999 17:04:37 -0700 (PDT)

On Sun, 25 Apr 1999, David L. Parsley (lkml account) wrote:
> On Sun, 25 Apr 1999, Albert D. Cahalan wrote:
> what about 3. fm=min caps to run else EPERM ?
I like that idea.
> Just to be sure I'm not completely off base here, this is what it looks
> like to me for current file cap sets (5 total):
> fP, bits explicitly raised in Permitted
> fI, bits Inheritable from parent
> fE, Effective bits initially set (yes, I agree we should go ahead and
> include this full set)
> fM, inheritable Mask, this adds security by restricting pI from always
> passing unrestrained to the child
> fR, (suggested nomenclature) Required capabilities; i.e., if the parent
> process doesn't have the necessary pI for the child to run properly, it
I don't see how fM could help any. Again I kind of like the fR idea.
For fM could you please carefully consider some of the arguements that
have come to light. You mentioned compatibility so please focus on how it
might be used to relieve the problem with "pure draft" leaving 'cp' and
family either unusable for admining or security holes.
> I'm curious, though, where everybody stands on setuid0 vs. ext2 bit. To
> summarize:
For now just let suid-root have it normal compatible behavior-- complement
that with elf headers. later ext3 will be the best answer.
> setuid0
> cons:
> - I'm not sure about the best solution for binaries w/ pP=0 and
> pI=(something); if this needs to be priviledged, it means marking a lot of
> stuff like tar, cp, rpm, ... setuid0; if this is not a priviledged
> operation, the file owner can raise all inheritable; this is especially a
> hazard for binaries which are setuid to some non-root uid (a good thing to
> do for filesystem security)
> - for files marked setuid0, requires storing uid info in headers
setuid0 marking tar,cp,rpm, etc is broken anyway you look at it.
for "pure draft" you to admit that they are unusable for admin purposes,
that is really hard on rpm since it's install thing is a major
commonly used admin function of rpm. May I suggest you take a closer look
at "soiled" caps which neatly avoids having to privledged mark those
files. You may optional in addition use elf headers which can only
further restrict.
> ext2bit
Wait for ext3.

When I mention capabilites I mean "soiled" capabilities not "pure draft".
Any caps I mention are *derived* from a withdrawn draft posix document.

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to Please read the FAQ at