From: Dax Kelson <dax@gurulabs.com>
To: Chris Wright <chris@wirex.com>
Cc: Jesse Pollard <pollard@tomcat.admin.navo.hpc.mil>,
Michael Kerrisk <m.kerrisk@gmx.net>,
linux-kernel@vger.kernel.org
Subject: Re: Status of capabilities?
Date: 27 Jun 2002 16:52:33 -0600 [thread overview]
Message-ID: <1025218353.3997.33.camel@mentor> (raw)
In-Reply-To: <20020627135422.B26112@figure1.int.wirex.com>
On Thu, 2002-06-27 at 14:54, Chris Wright wrote:
> * Jesse Pollard (pollard@tomcat.admin.navo.hpc.mil) wrote:
> >
> > Actually, I think most of that work has already been done by the Linux
> > Security Module project (well, except #7).
>
> The LSM project supports capabilities exactly as it appears in the
> kernel right now. The EA linkage is still missing. Of course, we are
> accepting patches ;-)
Has either lscap or chcap been written? I suppose not as that would
require a consensus on how capabilities would be stored as a EA.
That EA would need to be "special" and only be changeable by uid 0 (or
CAP_CHFSCAP).
So, has any of the below changed now that LSM has entered the picture?
1. Define how capabilities will be stored as a EA
2. Teach fs/exec.c to use the capabilities stored with the file
3. Write lscap(1)
4. Write chcap(1)
5. Audit/fix all SUID root binaries to be capabilities aware
6. Set appropriate capabilities with for each with chcap(1) and then:
# find / -type f -perm -4000 -user root -exec chmod u-s {} \;
7. Party and snicker in the general direction of that OS with the slogan
"One remote hole in the default install, in nearly 6 years!"
Dax Kelson
next prev parent reply other threads:[~2002-06-27 22:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-26 12:40 Status of capabilities? Michael Kerrisk
2002-06-27 6:05 ` Dax Kelson
2002-06-27 12:57 ` Jesse Pollard
2002-06-27 20:54 ` Chris Wright
2002-06-27 22:52 ` Dax Kelson [this message]
2002-07-06 20:56 ` Chris Wright
-- strict thread matches above, loose matches on Subject: below --
2002-06-28 13:20 Jesse Pollard
2002-05-10 6:28 Michael Kerrisk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1025218353.3997.33.camel@mentor \
--to=dax@gurulabs.com \
--cc=chris@wirex.com \
--cc=linux-kernel@vger.kernel.org \
--cc=m.kerrisk@gmx.net \
--cc=pollard@tomcat.admin.navo.hpc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox