From: Andrew Morton <akpm@osdl.org>
To: Chris Wright <chrisw@osdl.org>
Cc: chrisw@osdl.org, andrea@suse.de, linux-kernel@vger.kernel.org,
kenneth.w.chen@intel.com
Subject: Re: disable-cap-mlock
Date: Fri, 2 Apr 2004 15:01:52 -0800 [thread overview]
Message-ID: <20040402150152.7675cf7e.akpm@osdl.org> (raw)
In-Reply-To: <20040402143639.G21045@build.pdx.osdl.net>
Chris Wright <chrisw@osdl.org> wrote:
>
> * Andrew Morton (akpm@osdl.org) wrote:
> > So I spent a few hours getting pam_cap to work, and indeed it is now doing the
> > right thing. But the kernel is not.
>
> Do you have a patch? Seems it could be useful to get this and libcap back
> up-to-date .
http://www.zip.com.au/~akpm/linux/patches/stuff/pam_cap-akpm.tar.gz
> > 2) the kernel unconditionally removes CAP_SETPCAP in dummy_capget() so
> > it is not possible for even a root-owned, otherwise-fully-capable task
> > to raise capabilities on another task. Period.
>
> This is how the kernel was before the security stuff went in.
That's my point, Chris. "the feature is bollixed, so let's write a ton of
new parallel stuff but not fix the original code". This is how cruft
accumulates.
> > I must say that I'm fairly disappointed that we developed and merged all
> > that fancy security stuff but nobody ever bothered to fix up the existing
> > simple capability code.
>
> Our goal was actually to keep is compatible. All of it's limitations
> predate the security stuff.
Either the fine-grained capabilities are fixable, or they should be deleted
and we go back to suser(). One of those things should have happened before
adding more code, surely?
> I'm not sure, but it likely has to do with anticipating having the fs
> bits of capabilities to do proper setting at execve(). I think basically
> nobody really uses capabilites except in either simple root drops a
> few privs ways (no exec), or within larger security models running as
> kernel modules.
Yup, we've talked about how you can drop caps in this way for *years* but I
don't think many people realised that this emperor is unclad.
> > I'm looking at securebits.h and wondering why that exists - there's no code
> > in-kernel to set the thing, although it is exported to modules. Perhaps
> > securebits should be exposed in /proc and used to enable
> > retain-caps-across-execve.
>
> IIRC, changing those (existing) securebits settings creates an unusable
> machine. Again, I think there was some anticipation of the fs bits
> going in later. Perhaps those securebits pieces could just be removed.
OK. Do you have time to do the honours?
next prev parent reply other threads:[~2004-04-02 22:59 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-01 13:59 disable-cap-mlock Andrea Arcangeli
2004-04-01 14:12 ` disable-cap-mlock Martin Zwickel
2004-04-01 16:48 ` disable-cap-mlock William Lee Irwin III
2004-04-01 16:59 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:11 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 17:16 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:34 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:38 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:42 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:37 ` disable-cap-mlock Stephen Smalley
2004-04-01 17:44 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:49 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:51 ` disable-cap-mlock William Lee Irwin III
2004-04-01 18:12 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:52 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 17:54 ` disable-cap-mlock William Lee Irwin III
2004-04-01 18:47 ` disable-cap-mlock Stephen Smalley
2004-04-01 19:26 ` disable-cap-mlock William Lee Irwin III
2004-04-01 20:23 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 21:13 ` disable-cap-mlock William Lee Irwin III
2004-04-01 21:31 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 18:34 ` disable-cap-mlock Andrew Morton
2004-04-01 18:49 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 18:52 ` disable-cap-mlock Chen, Kenneth W
2004-04-01 18:59 ` disable-cap-mlock William Lee Irwin III
2004-04-01 19:27 ` disable-cap-mlock James Morris
2004-04-02 10:39 ` disable-cap-mlock Pavel Machek
2004-04-02 23:44 ` disable-cap-mlock William Lee Irwin III
2004-04-01 19:44 ` disable-cap-mlock Rik van Riel
2004-04-01 19:52 ` disable-cap-mlock Andrew Morton
2004-04-01 22:36 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 22:43 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 23:08 ` disable-cap-mlock Rik van Riel
2004-04-01 23:26 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 0:59 ` disable-cap-mlock Chris Wright
2004-04-01 22:29 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 1:07 ` disable-cap-mlock Chris Wright
2004-04-02 1:18 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 1:30 ` disable-cap-mlock Chris Wright
2004-04-02 1:35 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:04 ` disable-cap-mlock Chris Wright
2004-04-02 2:13 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:21 ` disable-cap-mlock Chris Wright
2004-04-02 2:38 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:48 ` disable-cap-mlock Chris Wright
2004-04-02 1:30 ` disable-cap-mlock Andrew Morton
2004-04-02 1:59 ` disable-cap-mlock Chris Wright
2004-04-02 2:09 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:30 ` disable-cap-mlock Andrew Morton
2004-04-02 2:33 ` disable-cap-mlock Chris Wright
2004-04-02 2:45 ` disable-cap-mlock Andrew Morton
2004-04-02 2:51 ` disable-cap-mlock Chris Wright
2004-04-02 3:21 ` disable-cap-mlock William Lee Irwin III
2004-04-02 2:41 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:49 ` disable-cap-mlock Andrew Morton
2004-04-02 3:07 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 21:35 ` disable-cap-mlock Andrew Morton
2004-04-02 22:36 ` disable-cap-mlock Chris Wright
2004-04-02 22:56 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 23:01 ` Andrew Morton [this message]
2004-04-02 23:18 ` disable-cap-mlock Chris Wright
2004-04-05 12:13 ` disable-cap-mlock Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040402150152.7675cf7e.akpm@osdl.org \
--to=akpm@osdl.org \
--cc=andrea@suse.de \
--cc=chrisw@osdl.org \
--cc=kenneth.w.chen@intel.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.