From: Andy Lutomirski <luto@myrealbox.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Albert Cahalan <albert@users.sourceforge.net>,
linux-kernel mailing list <linux-kernel@vger.kernel.org>,
luto@myrealbox.com, Chris Wright <chrisw@osdl.org>,
olaf+list.linux-kernel@olafdietsche.de, Valdis.Kletnieks@vt.edu
Subject: Re: [PATCH] capabilites, take 2
Date: Fri, 14 May 2004 08:57:38 -0700 [thread overview]
Message-ID: <40A4EC72.2020209@myrealbox.com> (raw)
In-Reply-To: <fa.mu5rj3d.24gtbp@ifi.uio.no>
Stephen Smalley wrote:
> On Fri, 2004-05-14 at 08:03, Albert Cahalan wrote:
>
>>This would be an excellent time to reconsider how capabilities
>>are assigned to bits. You're breaking things anyway; you might
>>as well do all the breaking at once. I want local-use bits so
>>that the print queue management access isn't by magic UID/GID.
>>We haven't escaped UID-as-priv if server apps and setuid apps
>>are still making UID-based access control decisions.
>
>
> Capabilities are a broken model for privilege management; try RBAC/TE
> instead. http://www.securecomputing.com/pdf/secureos.pdf has notes
> about the history and comparison of capabilities vs. TE.
>
> Instead of adding new capability bits, replace capable() calls with LSM
> hook calls that offer you finer granularity both in operation and in
> object-based decisions, and then use a security module like SELinux to
> map that to actual permission checks. SELinux provides a framework for
> defining security classes and permissions, including both definitions
> used by the kernel and definitions used by userspace policy enforcers
> (ala security-enhanced X).
>
Thanks -- turning brain back on, SELinux is obviously better than any
fine-grained capability scheme I can imagine.
So unless anyone convinces me you're wrong, I'll stick with just
fixing up capabilities to work without making them finer-grained.
--Andy
next parent reply other threads:[~2004-05-14 15:57 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fa.dt4cg55.jnqvr5@ifi.uio.no>
[not found] ` <fa.mu5rj3d.24gtbp@ifi.uio.no>
2004-05-14 15:57 ` Andy Lutomirski [this message]
2004-05-14 16:01 ` [PATCH] capabilites, take 2 Stephen Smalley
2004-05-14 16:18 ` Andy Lutomirski
2004-05-14 16:37 ` Stephen Smalley
2004-05-14 18:07 ` Chris Wright
2004-05-14 22:48 ` [PATCH] scaled-back caps, take 4 (was Re: [PATCH] capabilites, take 2) Andy Lutomirski
2004-05-15 0:06 ` [PATCH] scaled-back caps, take 4 Olaf Dietsche
2004-05-14 22:09 ` Albert Cahalan
2004-05-15 0:27 ` Chris Wright
[not found] ` <20040517231912.H21045@build.pdx.osdl.net>
2004-05-18 9:11 ` [PATCH] scaled-back caps, take 4 (was Re: [PATCH] capabilites, take 2) Andy Lutomirski
2004-05-19 1:27 ` Chris Wright
2004-05-19 1:54 ` [PATCH] scaled-back caps, take 4 Andy Lutomirski
2004-05-19 7:30 ` Chris Wright
2004-05-23 9:28 ` Andy Lutomirski
2004-05-23 18:48 ` Olaf Dietsche
2004-05-24 23:38 ` [PATCH] caps, compromise version (was Re: [PATCH] scaled-back caps, take 4) Andy Lutomirski
2004-05-24 23:56 ` Chris Wright
2004-05-25 0:23 ` Andy Lutomirski
[not found] ` <20040517235844.I21045@build.pdx.osdl.net>
2004-05-19 1:34 ` [PATCH] support cap inheritable (Re: [PATCH] scaled-back caps, take 4 (was Re: [PATCH] capabilites, take 2) Andy Lutomirski
2004-05-19 7:27 ` Chris Wright
2004-05-14 12:03 [PATCH] capabilites, take 2 Albert Cahalan
2004-05-14 14:53 ` Andy Lutomirski
2004-05-14 17:58 ` Chris Wright
2004-05-14 15:21 ` Stephen Smalley
2004-05-14 15:19 ` Albert Cahalan
2004-05-14 18:06 ` Stephen Smalley
2004-05-14 17:32 ` Albert Cahalan
2004-05-14 21:11 ` Chris Wright
2004-05-14 19:32 ` Albert Cahalan
2004-05-14 18:00 ` Chris Wright
2004-05-14 17:48 ` Chris Wright
-- strict thread matches above, loose matches on Subject: below --
2004-05-13 20:08 Andy Lutomirski
2004-05-14 1:20 ` Chris Wright
2004-05-14 1:35 ` Valdis.Kletnieks
2004-05-14 4:51 ` Chris Wright
2004-05-14 5:33 ` Olaf Dietsche
2004-05-14 6:04 ` Valdis.Kletnieks
2004-05-14 7:09 ` Olaf Dietsche
2004-05-14 2:27 ` Andy Lutomirski
2004-05-14 4:48 ` Chris Wright
2004-05-14 5:58 ` Andy Lutomirski
2004-05-14 17:45 ` Chris Wright
2004-05-14 6:39 ` Olaf Dietsche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40A4EC72.2020209@myrealbox.com \
--to=luto@myrealbox.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=albert@users.sourceforge.net \
--cc=chrisw@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=olaf+list.linux-kernel@olafdietsche.de \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox