From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Eric Paris <eparis@redhat.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
lkml <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Ashwin Ganti <ashwin.ganti@gmail.com>, Greg KH <greg@kroah.com>,
rsc@swtch.com, ericvh@gmail.com,
linux-security-module@vger.kernel.org,
Ron Minnich <rminnich@gmail.com>,
jt.beard@gmail.com, Andrew Morton <akpm@linux-foundation.org>,
Andrew Morgan <morgan@kernel.org>,
oleg@us.ibm.com, "Eric W. Biederman" <ebiederm@xmission.com>,
linux-api@vger.kernel.org, Randy Dunlap <rdunlap@xenotime.net>,
sgrubb@redhat.com
Subject: Re: [PATCH 3/3] p9auth: add p9auth driver
Date: Wed, 21 Apr 2010 09:30:16 -0500 [thread overview]
Message-ID: <20100421143016.GA31880@us.ibm.com> (raw)
In-Reply-To: <1271858141.2899.7.camel@dhcp235-240.rdu.redhat.com>
Quoting Eric Paris (eparis@redhat.com):
> On Wed, 2010-04-21 at 10:27 +0100, Alan Cox wrote:
> > > This is a change which must be discussed. The use of this
> > > privilege can be completely prevented by having init remove
> > > CAP_GRANT_ID from its capability bounding set before forking any
> > > processes.
> >
> > Which is a minor back compat issue - but you could start without it and
> > allow init to add it.
> >
> > It seems a very complex interface to do a simple thing. A long time ago
> > there was discussion around extending the AF_UNIX fd passing to permit
> > 'pass handle and auth' so you could send someone a handle with a "become
> > me" token attached.
>
> If you do go down this path there is a separate (and actually completely
> opposite) but related problem I might be able and willing to work with
> you on. When looking at how auditing works in this modern day and age
> of dbus+polkit to get background processes to do work on behalf of a
This actually brings up an issue I've been a bit worried about: is
credentials passing for dbus adequate? I thought that the last time
I looked through some code, there was no way in particular for upstart
to pass posix capabilities info along. What that means is that as root
I can do
capsh --drop=(list of all capabilities) --
reboot
and, although I don't have cap_sys_boot, I can reboot the system. So
the only way I can prevent a container from rebooting the host is to
start it in a fresh network namespace to segrate the abstract unix
domain sockets. But if I don't want a fresh network namespace, I'm out
of luck.
> user we were discussing an interface that would pass the information
> about the user to the background server process. The background server
> process could do some magic such that it still had all the permissions
> and rights of itself, but had the audit information of the original
> user. Thus even though it was a server process with uid=0 that did the
> work, the audit logs could know it was actually on behalf of uid=500.
>
> It was discussed passing that token of audit information over an AF_UNIX
> socket.
>
> -Eric
next prev parent reply other threads:[~2010-04-21 14:30 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-21 1:27 [PATCH 1/3] p9auth: split core function out of some set*{u,g}id functions Serge E. Hallyn
2010-04-21 1:28 ` [PATCH 2/3] p9auth: add CAP_GRANT_ID to authorize use of /dev/caphash Serge E. Hallyn
2010-04-21 2:54 ` Greg KH
[not found] ` <20100421012749.GA21338-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-04-21 1:29 ` [PATCH 3/3] p9auth: add p9auth driver Serge E. Hallyn
2010-04-21 1:29 ` Serge E. Hallyn
[not found] ` <20100421012908.GB24251-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-04-21 3:04 ` Greg KH
2010-04-21 3:04 ` Greg KH
[not found] ` <20100421030406.GB10258-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2010-04-21 3:45 ` Serge E. Hallyn
2010-04-21 3:45 ` Serge E. Hallyn
2010-04-21 4:18 ` Ashwin Ganti
2010-04-21 4:18 ` Ashwin Ganti
2010-04-21 13:47 ` Serge E. Hallyn
2010-04-21 13:47 ` Serge E. Hallyn
[not found] ` <20100421134759.GE16326-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-04-21 14:44 ` Ashwin Ganti
2010-04-21 14:44 ` Ashwin Ganti
2010-04-21 4:45 ` Eric W. Biederman
[not found] ` <m1zl0xo1m9.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-04-21 13:21 ` Serge E. Hallyn
2010-04-21 13:21 ` Serge E. Hallyn
2010-04-24 3:36 ` Serge E. Hallyn
2010-04-24 3:36 ` Serge E. Hallyn
2010-04-24 16:25 ` ron minnich
2010-04-24 16:25 ` ron minnich
[not found] ` <n2s13426df11004240925id540ed94mc2ebafada0099ec4-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-24 18:01 ` Eric W. Biederman
2010-04-24 18:01 ` Eric W. Biederman
2010-04-25 3:24 ` Serge E. Hallyn
2010-04-21 9:27 ` Alan Cox
2010-04-21 9:27 ` Alan Cox
[not found] ` <20100421102739.6ad932fb-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2010-04-21 13:39 ` Serge E. Hallyn
2010-04-21 13:39 ` Serge E. Hallyn
2010-04-21 14:19 ` Alan Cox
[not found] ` <20100421151917.5ae20265-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2010-04-21 15:09 ` Serge E. Hallyn
2010-04-21 15:09 ` Serge E. Hallyn
2010-04-21 19:15 ` Eric W. Biederman
2010-04-21 20:23 ` Serge E. Hallyn
2010-04-22 4:57 ` Kyle Moffett
[not found] ` <w2wf73f7ab81004212157o371c5738o10c8b6ff807ba36a-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-22 14:36 ` Serge E. Hallyn
2010-04-22 14:36 ` Serge E. Hallyn
2010-04-21 13:55 ` Eric Paris
2010-04-21 13:55 ` Eric Paris
2010-04-21 14:30 ` Serge E. Hallyn [this message]
2010-04-21 10:49 ` David Howells
2010-04-21 10:49 ` David Howells
2010-04-21 13:40 ` Serge E. Hallyn
2010-04-21 10:46 ` [PATCH 1/3] p9auth: split core function out of some set*{u,g}id functions David Howells
2010-04-21 13:40 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100421143016.GA31880@us.ibm.com \
--to=serue@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ashwin.ganti@gmail.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=ericvh@gmail.com \
--cc=greg@kroah.com \
--cc=jt.beard@gmail.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=oleg@us.ibm.com \
--cc=rdunlap@xenotime.net \
--cc=rminnich@gmail.com \
--cc=rsc@swtch.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.