> > Next try with capabilities, this time against 2.3.1. Patch is completely
> > safe and should significantly enhance system security. It is completely
> > backward compatible: ie. no semantics change. Capabilities are
> > implemented using elf notes (and this version parses notes correctly).
> > Software exists for adding capabilities at runtime, so you don't even
> > require a recompile.
>
> I'm not entirely convinced. The thing with ELF notes is that they only
> work with ELF. That may sound obvious, and it is, but it makes me wonder
> whether it's the right way at all.
Only other executables are a.out (nobody uses them these days) and
scripts. But take a look: we do not honour setuid bit on scripts,
anyway! It is perl interpretter who has s bit. So I do not think
scripts are issue.
> I suspect that it would be cleaner to have capabilities be a name-space
> issue rather than an inode issue. For example, the one thing I've always
> wanted to do with symlinks is to have symlinks that can change the
> privileges of the lookup - it's complex and maybe not a good idea, but
> it's a more intriguing concept and works with shellscripts and other
> systems where you can't add ELF notes..
Yes, going namespace would be nicer, but is _extremely hard_ as you
would need to modify tools such as tar, cp, nfsd etc. And I doubt it
will be usefull. As long as elf is only widespread executable format
(and it is - sbit is not honoured for scripts and a.out is dead), I
think this solution is pretty much ok.
Pavel
-- I'm really pavel@ucw.cz. Look at http://195.113.31.123/~pavel. Pavel Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/