From: Casey Schaufler <casey@schaufler-ca.com>
To: "Bill O'Donnell" <billodo@sgi.com>,
KaiGai Kohei <kaigai@kaigai.gr.jp>,
"Serge E. Hallyn" <serue@us.ibm.com>,
Chris Friedhoff <chris@friedhoff.org>
Cc: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH] Implement file posix capabilities
Date: Wed, 24 Jan 2007 12:24:18 -0800 (PST) [thread overview]
Message-ID: <239813.31714.qm@web36606.mail.mud.yahoo.com> (raw)
In-Reply-To: <20070124163004.GA15979@sgi.com>
--- Bill O'Donnell <billodo@sgi.com> wrote:
> ... That said, can one expect, through
> the use of these enhanced capabilities,
> to be able to add some finer grain
> capabilities based on a specific userid?
POSIX capabilities are explictly disjoint from
userids in the kernel, and this is by design.
You could provide limited capability sets to
users at the application layer.
> In Chris' ping example,
> the suid is removed from /bin/ping to restrict it to
> root, and a
> capability added to allow any user to execute it.
> Can that example
> be extended to make it so only a _particular_ user
> can execute it?
Give the file the capability and set an
ACL that allows only that user execute access.
> I realize with SELinux, one could achieve the goal,
> but as a stopgap,
> can capabilities be used to get there?
Certainly, as above.
> Thanks,
> Bill
>
> --
> Bill O'Donnell
> SGI
Have a look in /etc/irix.cap on a Trix box
some time. I suspect there might be one in
your facility.
Casey Schaufler
casey@schaufler-ca.com
prev parent reply other threads:[~2007-01-24 20:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-27 17:07 [PATCH] Implement file posix capabilities Serge E. Hallyn
2006-11-29 10:28 ` Chris Friedhoff
2006-11-29 20:40 ` Bill O'Donnell
2006-11-30 18:05 ` Bill O'Donnell
2006-11-30 22:57 ` Serge E. Hallyn
2006-12-01 19:28 ` Bill O'Donnell
2006-12-02 3:30 ` KaiGai Kohei
2007-01-24 16:30 ` Bill O'Donnell
2007-01-24 20:24 ` Casey Schaufler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=239813.31714.qm@web36606.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=billodo@sgi.com \
--cc=chris@friedhoff.org \
--cc=kaigai@kaigai.gr.jp \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox