From: David Madore <david.madore@ens.fr>
To: Jan Engelhardt <jengelh@linux01.gwdg.de>
Cc: Linux Kernel mailing-list <linux-kernel@vger.kernel.org>,
LSM mailing-list <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
Date: Mon, 11 Sep 2006 08:51:11 +0200 [thread overview]
Message-ID: <20060911065111.GA4850@clipper.ens.fr> (raw)
In-Reply-To: <Pine.LNX.4.61.0609110807250.14570@yvahk01.tjqt.qr>
On Mon, Sep 11, 2006 at 08:10:17AM +0200, Jan Engelhardt wrote:
> You cannot reasonable run a program without CAP_REG_OPEN, because
> ld.so, libc.so and libdl.so all may load a ton of required files
> underneath you.
A program might quite conceivably drop CAP_REG_OPEN willingly once
it's started, or the administrator might use capset() on it once it's
running. But, again, this cap is mostly a proof of concept: the
really useful ones are CAP_REG_WRITE and CAP_REG_SXID.
--
David A. Madore
(david.madore@ens.fr,
http://www.madore.org/~david/ )
next prev parent reply other threads:[~2006-09-11 6:51 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-10 13:37 [PATCH 1/4] security: capabilities patch (version 0.4.4), part 1/4: enlarge capability sets David Madore
2006-09-10 13:41 ` [PATCH 2/4] security: capabilities patch (version 0.4.4), part 2/4: change inheritance semantics David Madore
2006-09-10 13:42 ` [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities David Madore
2006-09-10 16:23 ` Alan Cox
2006-09-10 16:09 ` David Madore
2006-09-11 8:06 ` James Morris
2006-09-11 12:03 ` Joshua Brindle
2006-09-11 16:22 ` Casey Schaufler
2006-09-17 18:06 ` Pavel Machek
2006-09-10 17:56 ` Joshua Brindle
2006-09-10 20:03 ` David Madore
2006-09-11 6:10 ` Jan Engelhardt
2006-09-11 6:51 ` David Madore [this message]
2006-09-11 13:42 ` Stephen Smalley
2006-09-17 18:14 ` Pavel Machek
2006-09-17 20:39 ` Joshua Brindle
2006-09-17 21:16 ` David Madore
2006-09-18 11:46 ` Joshua Brindle
2006-09-18 11:58 ` David Madore
2006-09-18 12:04 ` Pavel Machek
2006-09-18 12:12 ` Joshua Brindle
2006-09-18 16:02 ` Casey Schaufler
2006-09-19 0:25 ` Joshua Brindle
2006-09-19 3:46 ` Casey Schaufler
2006-09-19 4:09 ` Joshua Brindle
2006-09-19 15:54 ` Casey Schaufler
2006-09-19 18:27 ` Pavel Machek
2006-09-10 13:44 ` David Madore
2006-09-10 13:46 ` [PATCH 4/4] security: capabilities patch (version 0.4.4), part 4/4: add filesystem support David Madore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060911065111.GA4850@clipper.ens.fr \
--to=david.madore@ens.fr \
--cc=jengelh@linux01.gwdg.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.