From: Karel Zak <kzak@redhat.com>
To: Steven Stewart-Gallus <sstewartgallus00@mylangara.bc.ca>
Cc: Mike Frysinger <vapier@gentoo.org>, util-linux@vger.kernel.org
Subject: Re: Utilities don't take into account capabilities
Date: Tue, 19 Aug 2014 11:07:37 +0200 [thread overview]
Message-ID: <20140819090737.GA22187@x2.net.home> (raw)
In-Reply-To: <fb47b4bfaf39.53f23a83@langara.bc.ca>
On Mon, Aug 18, 2014 at 05:40:19PM +0000, Steven Stewart-Gallus wrote:
> > guessing the sandbox isn't really meant for security purposes since
> > CAP_SYS_ADMIN can easily be used to recover just about every other
> > capability. http://lwn.net/Articles/486306/
The currently supported scenario is that you can remove suid from
mount(8) and replace it with cap_dac_override,cap_sys_admin+ep. Note
that in this case mount(8) still requires 'user' in fstab of course.
The disadvantage is that mount(8) is not able to update for example
/etc/mtab (or /run/mount/utab), because cap_sys_admin is just subset
of the original suid privileges.
> capabilities in a CLONE_NEW_USER sandbox only apply to the sandbox and not
> things outside of the sandbox such as devices.
Well, user namespace is little bit different story and we already
talked about it (in May).
http://www.spinics.net/lists/util-linux-ng/msg09309.html
The idea is that we can drop privileges rather than exit with "only
root can..." error message. I'd like to try it during this release
cycle.
Karel
--
Karel Zak <kzak@redhat.com>
http://karelzak.blogspot.com
next prev parent reply other threads:[~2014-08-19 9:07 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-16 21:57 Utilities don't take into account capabilities Steven Stewart-Gallus
2014-08-17 20:54 ` Linda Walsh
2014-08-18 0:57 ` Steven Stewart-Gallus
2014-08-18 1:23 ` Linda Walsh
2014-08-18 14:47 ` Dale R. Worley
2014-08-18 19:19 ` Linda Walsh
2014-08-18 21:57 ` Dale R. Worley
2014-08-18 12:05 ` Mike Frysinger
2014-08-18 17:40 ` Steven Stewart-Gallus
2014-08-19 9:07 ` Karel Zak [this message]
2014-08-19 21:54 ` Steven Stewart-Gallus
2014-08-22 0:38 ` Linda Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140819090737.GA22187@x2.net.home \
--to=kzak@redhat.com \
--cc=sstewartgallus00@mylangara.bc.ca \
--cc=util-linux@vger.kernel.org \
--cc=vapier@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).