Re: [PATCH 0/2] file capabilities: two bugfixes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>,
	lkml <linux-kernel@vger.kernel.org>,
	linux-security-module@vger.kernel.org,
	Andrew Morton <akpm@osdl.org>
Subject: Re: [PATCH 0/2] file capabilities: two bugfixes
Date: Fri, 8 Dec 2006 12:41:04 -0800 (PST)	[thread overview]
Message-ID: <402572.41716.qm@web36607.mail.mud.yahoo.com> (raw)
In-Reply-To: <20061208193657.GB18566@sergelap.austin.ibm.com>


--- "Serge E. Hallyn" <serue@us.ibm.com> wrote:

> ...
> The other is that root can lose capabilities by
> executing files with
> only some capabilities set.  The next two patches
> change these
> behaviors.

It was the intention of the POSIX group that
capabilities be independent of uid. I would
argue that the old bevavior was correct, that
a program marked to lose a capability ought
to even if the uid is 0.


Casey Schaufler
casey@schaufler-ca.com

next prev parent reply	other threads:[~2006-12-08 20:41 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-12-08 19:36 [PATCH 0/2] file capabilities: two bugfixes Serge E. Hallyn
2006-12-08 19:38 ` [PATCH 1/2] file capabilities: don't do file caps if MNT_NOSUID Serge E. Hallyn
2006-12-08 19:39 ` [PATCH 2/2] file capabilities: honor !SECURE_NOROOT Serge E. Hallyn
2006-12-08 20:41 ` Casey Schaufler [this message]
2006-12-08 21:16   ` [PATCH 0/2] file capabilities: two bugfixes Serge E. Hallyn
2006-12-08 22:08     ` Casey Schaufler
2006-12-09  0:43 ` Seth Arnold
2006-12-11 21:31   ` Crispin Cowan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=402572.41716.qm@web36607.mail.mud.yahoo.com \
    --to=casey@schaufler-ca.com \
    --cc=akpm@osdl.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serue@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.