From: "Andrew G. Morgan" <morgan@kernel.org>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: charles.kirsch@internet.lu, lkml <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org,
Gerald Combs <gerald@wireshark.org>,
Gilbert Ramirez <gram@alumni.rice.edu>,
Guy Harris <guy@alum.mit.edu>
Subject: Re: Possible problem in linux file posix capabilities
Date: Sun, 17 Feb 2008 17:20:21 -0800 [thread overview]
Message-ID: <47B8DD55.5070800@kernel.org> (raw)
In-Reply-To: <20080217224851.GA9168@sergelap.austin.ibm.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Serge E. Hallyn wrote:
| Andrew, this pretty much was bound to happen... we need to figure out
| what our approach here should be. My preference is still to allow
| signals when p->uid==current->uid so long as !SECURE_NOROOT. Then as
| people start using secure_noroot process trees they at least must know
| what they're asking for.
I don't think there is anything special about root.
I've been trying to advocate that we remove the *uid == 0 part of this
check since we discussed it in November:
As I said 11/29/07 [Re: [patch 31/55] file capabilities: don't prevent
signaling setuid root programs]:
| I actually said (11/26/07):
|> >> Serge,
|> >>
|> >> I still feel a bit uneasy about this. Looking ahead, with filesystem
|> >> capabilities, one can simulate this same situation with a setuid
|> >> 'non-root' program as follows:
|> >>
|> >> [... example of simulating the same situation with setuid-non-root
...]
|> >>
|> >> Is there a compelling reason to include the euid==0 check?
So, independent of whether SECURE_NOROOT is in effect or not, I think
this particular line should simply read:
~ if (p->uid == current->uid)
~ return 0;
| An alternative stance is to accept these things as they come up and try
| to quickly work with the authors of such programs to work around it. I
| suppose in a security sense that's the superior way :) But it also
| seems likely to lead to most people choosing option 2 above and not
| bothering to fix the problem.
Cheers
Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFHuN1V+bHCR3gb8jsRAkqnAJ9o9j9KALm/LxWRoU9PGo9f7UWNYgCdGTQC
Pm0daaJRMhWzcGSsTNgqj44=
=EkD2
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2008-02-18 1:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-17 22:48 Possible problem in linux file posix capabilities Serge E. Hallyn
2008-02-18 1:20 ` Andrew G. Morgan [this message]
2008-02-18 1:39 ` Serge E. Hallyn
2008-02-18 1:55 ` Andrew G. Morgan
2008-02-18 5:17 ` Casey Schaufler
2008-02-18 13:44 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47B8DD55.5070800@kernel.org \
--to=morgan@kernel.org \
--cc=charles.kirsch@internet.lu \
--cc=gerald@wireshark.org \
--cc=gram@alumni.rice.edu \
--cc=guy@alum.mit.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.