Christer Weinigel wrote: > Pascal Schmidt writes: > [...] if I have write permisson to a CD burner, being able to > burn a coaster by issuing strange commands is something I expect. > Being able to destroy the firmware of the drive is not something I > expect a normal user to be able to do. > > There are at least three conflicting goals here: > > 1. Only someone with CAP_SYS_RAWIO (i.e. root) should be able to do > possible destructive things to a device, and only root should be > able to bypass the normal security checks in the kernel (e.g. get > access to /dev/mem since access to it means that you can read and > modify internal kernel structures). > > 2. A Linux system should have as few suid root binaries as possible. > > 3. A normal user should be able to perform most tasks without needing > root. > I hope this is not a stupid idea: I propose a finer-grained approach to suid-root binaries. Perhaps, instead of having a single flag giving the binary all the rights and responsibilities of its owner, there could be a table/list/something of capabilities which we want to grant to the binary. This, of course, would be a privileged operation (perhaps a new capability?). For example, we might want to grant cdrecord CAP_SYS_RAWIO. This way, we don't have to worry about cdrecord running as root and not dropping all the capabilities it doesn't need, by accident or by malice. Further, and I realize that this would probably require major restructuring, perhaps there could be another field: for each capability we want to grant, a method to specify _where_ the binary can use that capability. To extend the previous example: we might want to give cdrecord CAP_SYS_RAWIO just on, say, /dev/burner0 and /dev/burner1, but not /dev/hda. That way, some typo won't have us trying to burn cds with our hard disks. Again, I hope it's not a stupid idea. I don't have a working implementation, and I'm not even sure if it's even possible, but it's a thought. -- electronerd (jonathan s myers) code poet and recycle bin monitor programmer, monolith3d.com