From: Casey Schaufler <casey@schaufler-ca.com>
To: "Bill O'Donnell" <billodo@sgi.com>,
KaiGai Kohei <kaigai@kaigai.gr.jp>,
"Serge E. Hallyn" <serue@us.ibm.com>,
Chris Friedhoff <chris@friedhoff.org>
Cc: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH] Implement file posix capabilities
Date: Wed, 24 Jan 2007 12:24:18 -0800 (PST) [thread overview]
Message-ID: <239813.31714.qm@web36606.mail.mud.yahoo.com> (raw)
In-Reply-To: <20070124163004.GA15979@sgi.com>
--- Bill O'Donnell <billodo@sgi.com> wrote:
> ... That said, can one expect, through
> the use of these enhanced capabilities,
> to be able to add some finer grain
> capabilities based on a specific userid?
POSIX capabilities are explictly disjoint from
userids in the kernel, and this is by design.
You could provide limited capability sets to
users at the application layer.
> In Chris' ping example,
> the suid is removed from /bin/ping to restrict it to
> root, and a
> capability added to allow any user to execute it.
> Can that example
> be extended to make it so only a _particular_ user
> can execute it?
Give the file the capability and set an
ACL that allows only that user execute access.
> I realize with SELinux, one could achieve the goal,
> but as a stopgap,
> can capabilities be used to get there?
Certainly, as above.
> Thanks,
> Bill
>
> --
> Bill O'Donnell
> SGI
Have a look in /etc/irix.cap on a Trix box
some time. I suspect there might be one in
your facility.
Casey Schaufler
casey@schaufler-ca.com
prev parent reply other threads:[~2007-01-24 20:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-27 17:07 [PATCH] Implement file posix capabilities Serge E. Hallyn
2006-11-29 10:28 ` Chris Friedhoff
2006-11-29 20:40 ` Bill O'Donnell
2006-11-30 18:05 ` Bill O'Donnell
2006-11-30 22:57 ` Serge E. Hallyn
2006-12-01 19:28 ` Bill O'Donnell
2006-12-02 3:30 ` KaiGai Kohei
2007-01-24 16:30 ` Bill O'Donnell
2007-01-24 20:24 ` Casey Schaufler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=239813.31714.qm@web36606.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=billodo@sgi.com \
--cc=chris@friedhoff.org \
--cc=kaigai@kaigai.gr.jp \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.