From: David Madore <david.madore@ens.fr>
To: Linux Kernel mailing-list <linux-kernel@vger.kernel.org>
Subject: Re: capabilities patch (v 0.1)
Date: Tue, 9 Aug 2005 22:36:36 +0200 [thread overview]
Message-ID: <20050809203636.GA28313@clipper.ens.fr> (raw)
In-Reply-To: <20050809053724.GG7991@shell0.pdx.osdl.net>
On Tue, Aug 09, 2005 at 05:37:56AM +0000, Chris Wright wrote:
> * David Madore (david.madore@ens.fr) wrote:
> > * Second, a much more extensive change, the patch introduces a third
> > set of capabilities for every process, the "bounding" set. Normally
>
> this is not a good idea. don't add more sets.
Could you elaborate? Why is adding sets bad? From what I read of the
June 2000 discussions on the linux-privs-discuss mailing-list (<URL:
http://sourceforge.net/mailarchive/forum.php?forum_id=25120&max_rows=25&style=flat&viewmonth=200006
>), a rather large consensus had formed around the idea that some
kind of bounding set was a useful idea (as a matter of fact, the
sendmail problem came essentially from the fact that some people
wanted an inheritable set and other people wanted a bounding set, and
the code was some mixture of the two); and it had been argued
convincincly that it could be made POSIX compliant if that is the
issue. Plus, Solaris privileges also come in four sets.
If it's compatibility you're worried about, it seems to me that the
user interface can be made so that it will still work with the old
libcap and merely ignore the bounding set. So full binary
compatibility will be achieved, at least on the user level.
Finally, if it's a matter of kernel policy, I seem to understand that
my patch has a snowball's chance in hell of ever being accepted in the
mainstream kernel (I mean, it's not as though this were new: patches
to make capabilities work have been available ever since the sendmail
exploit, and in five years they haven't ever been accepted, so I
suppose there's a reason to this), so adding a fourth set of
capabilities of my own initiative isn't going to change a thing there.
So what's the problem?
> if you really want to
> work on this i'll give you all the patches that have been done thus far,
> plus a set of tests that look at all the execve, ptrace, setuid type of
> corner cases.
Yes, I'm very interested in the test suite.
--
David A. Madore
(david.madore@ens.fr,
http://www.madore.org/~david/ )
next prev parent reply other threads:[~2005-08-09 20:36 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-09 5:26 capabilities patch (v 0.1) David Madore
2005-08-09 5:37 ` Chris Wright
2005-08-09 20:36 ` David Madore [this message]
2005-08-09 20:28 ` Valdis.Kletnieks
2005-08-09 20:48 ` David Madore
[not found] <4zuQJ-20d-11@gated-at.bofh.it>
[not found] ` <4zv0l-2b8-11@gated-at.bofh.it>
2005-08-09 20:21 ` Bodo Eggert
2005-08-09 20:52 ` Chris Wright
2005-08-09 21:05 ` David Madore
2005-08-09 21:36 ` Bodo Eggert
2005-08-09 21:48 ` David Madore
2005-08-10 0:53 ` David Wagner
2005-08-09 22:24 ` Chris Wright
2005-08-09 22:58 ` Bodo Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050809203636.GA28313@clipper.ens.fr \
--to=david.madore@ens.fr \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox