From: Olaf Dietsche <olaf.dietsche#list.linux-kernel@t-online.de>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Posix capabilities
Date: Thu, 17 Oct 2002 12:37:30 +0200 [thread overview]
Message-ID: <874rblcpw5.fsf@goat.bogus.local> (raw)
In-Reply-To: 20021017032619.GA11954@think.thunk.org
"Theodore Ts'o" <tytso@mit.edu> writes:
> Personally, I'm not so convinced that capabilities are such a great
> idea. System administrators have a hard enough time keeping 12 bits
> of permissions correct on executable files; with capabilities they
> have to keep track of several hundred bits of capabilties flags, which
So you claim, system administrators are stupid people?
> must be set precisely correctly, or the programs will either (a) fail
> to function,
Which you will notice very fast.
> or (b) have a gaping huge security hole.
Which is not worse, but possibly a lot better, than setuid root.
> This probablem could be solved with some really scary, complex user
> tools (which no one has written yet). Alternatively you could just
> let programs continue to be setuid root, but modify the executable to
> explicitly drop all the capabilities except for the ones that are
> actually needed as one of the first things that executable does. It
Which isn't convincing, either. The benefit of capabilities is to
administer your system _without_ relying on someone else doing a
decent job.
> perhaps only gives you 90% of the benefits of the full-fledged
> capabilities model, but it's much more fool proof, and much easier to
> administer.
With capabilities you don't have to resort to programming, which _is_
already an easier way to administer. This also means, distribution
builders, who may not be coders, can contribute to enhance security.
Maybe this sounds like a plea for capabilities and maybe it is, but I
just want to put some things straight. Unless there's something
better, I stay with capabilities.
To be more constructive, I want to point to
<http://www.linux.it/~md/software/ssd.tgz>. This is a modified
start-stop-daemon, which allows to change capabilities. With this
really scary, complex user tool (which to some extent it is, when you
look at the code), I was able to drop all the capabilities except for
the ones that are actually needed. ;-)
Regards, Olaf.
next prev parent reply other threads:[~2002-10-17 10:31 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-16 15:44 Posix capabilities Stefan Schwandter
2002-10-16 16:22 ` Bosko Radivojevic
2002-10-17 3:26 ` Theodore Ts'o
2002-10-17 4:00 ` GrandMasterLee
2002-10-17 13:22 ` Horst von Brand
2002-10-18 6:38 ` GrandMasterLee
2002-10-17 10:37 ` Olaf Dietsche [this message]
2002-10-17 11:02 ` Andreas Gruenbacher
2002-10-17 12:12 ` Theodore Ts'o
2002-10-17 15:36 ` Olaf Dietsche
2002-10-17 17:17 ` Alex Riesen
2002-10-18 16:13 ` Rogier Wolff
2002-10-17 13:40 ` Henning P. Schmiedehausen
2002-10-17 12:05 ` Stefan Schwandter
2002-10-17 12:20 ` Theodore Ts'o
2002-10-20 14:16 ` Pavel Machek
2002-10-27 13:46 ` Andreas Gruenbacher
-- strict thread matches above, loose matches on Subject: below --
2002-10-17 20:43 Neil Schemenauer
2002-10-20 14:18 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874rblcpw5.fsf@goat.bogus.local \
--to=olaf.dietsche#list.linux-kernel@t-online.de \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox