[...]
> > I don't want to trust an all-capable Perl interpreter. Not on a system that
> > is important/critical enough to be secured by capabilitites. A clean
> > solution is given if the script carries capabilities, the kernel notes this
> > and invokes the interpreter with the capabilities the filesystem grants. In
> > this case it is useless to trick the interpreter.
> As things are right now you can't do this or you'll end up with the same
> security problem as for example SUID scripts on SunOS 4 had.
I know.
> To make things work as you want them a filedescriptor to the SUID script
> would have to be passed to the interpreter by binfmt_skript and every
> interpreter would have to be changed to take advantage of that. Otherwise
> there is a security hole ...
Right.
-- Horst von Brand vonbrand@sleipnir.valparaiso.cl Casilla 9G, Viņa del Mar, Chile +56 32 672616- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/