From: David Madore <david.madore@ens.fr>
To: Linux Kernel mailing-list <linux-kernel@vger.kernel.org>
Cc: Valdis.Kletnieks@vt.edu
Subject: Re: capabilities patch (v 0.1)
Date: Tue, 9 Aug 2005 22:48:54 +0200 [thread overview]
Message-ID: <20050809204854.GA4983@clipper.ens.fr> (raw)
In-Reply-To: <200508092028.j79KSVYW028307@turing-police.cc.vt.edu>
On Tue, Aug 09, 2005 at 04:28:31PM -0400, Valdis.Kletnieks@vt.edu wrote:
> On Tue, 09 Aug 2005 07:26:21 +0200, David Madore said:
> > * Second, a much more extensive change, the patch introduces a third
> > set of capabilities for every process, the "bounding" set. Normally
> > the bounding set has every capability in it
>
> How is this different in semantics from the existing 'permitted' capset?
The permitted sets is a set of capabilities really available to the
process (though they may be temporarily dropped by removing them from
the effective set, they are still available to take back). In
contrast, the bounding set capabilities are not readily available to
the process; it just means that the capabilities in question *might*
be acquired by running a suid program (or setcap program if filesystem
support for capabilities ever comes to Linux).
Currently this is more or less an all-or-nothing process: since
capabilities can only be acquired by running a suid program, removing
any capability from the bounding set means the program will never be
permitted to execute a suid program any more (execve() will fail with
EPERM). But maybe I'll reinstate the CAP_SETPCAP thing in some future
version of the patch (I'm still waiting for someone to tell me what
was wrong with CAP_SETPCAP and why it was removed), and then the
bounding set should also prohibit capabilities being given through
that interface.
The bottom line is: if you have some untrusted process, it might be
wise to remove empty its bounding set, making it incapable of
executing a suid root program and thus acquiring new capabilities. (I
also plan to add some normally-available-to-all capabilities such as
"permission to fork()", "permission to exec()" and so on, and then it
will also be useful to remove these from a process's permitted set.)
> include/linux/capabilities.h:
>
> typedef struct __user_cap_data_struct {
> __u32 effective;
> __u32 permitted;
> __u32 inheritable;
> } __user *cap_user_data_t;
>
And my patch adds a __u32 bounding to that structure.
--
David A. Madore
(david.madore@ens.fr,
http://www.madore.org/~david/ )
next prev parent reply other threads:[~2005-08-09 20:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-09 5:26 capabilities patch (v 0.1) David Madore
2005-08-09 5:37 ` Chris Wright
2005-08-09 20:36 ` David Madore
2005-08-09 20:28 ` Valdis.Kletnieks
2005-08-09 20:48 ` David Madore [this message]
[not found] <4zuQJ-20d-11@gated-at.bofh.it>
[not found] ` <4zv0l-2b8-11@gated-at.bofh.it>
2005-08-09 20:21 ` Bodo Eggert
2005-08-09 20:52 ` Chris Wright
2005-08-09 21:05 ` David Madore
2005-08-09 21:36 ` Bodo Eggert
2005-08-09 21:48 ` David Madore
2005-08-10 0:53 ` David Wagner
2005-08-09 22:24 ` Chris Wright
2005-08-09 22:58 ` Bodo Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050809204854.GA4983@clipper.ens.fr \
--to=david.madore@ens.fr \
--cc=Valdis.Kletnieks@vt.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox