[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <242a0a8f0604060838s4c23fe5bw8f378d173642ee50@mail.gmail.com>
Date: Thu Apr 6 16:38:58 2006
From: eaton.lists at gmail.com (Brian Eaton)
Subject: Re: [SC-L] Re: [Owasp-dotnet] RE: 4 Questions:
Latest IE vulnerability, Firefox vs IE security,
User vs Admin risk profile,
and browsers coded in 100% Managed Verifiable code
On 4/5/06, Crispin Cowan <crispin@...ell.com> wrote:
> Pascal Meunier wrote:
> > but as you posted an example profile with "capability setuid", I must
> > admit I am curious as to why an email client needs that.
> Well now that is a very good question, but it has nothing to do with
> AppArmor. The AppArmor learning mode just records the actions that the
> application performs. With or without AppArmor, the Thunderbird mail
> client is using cap_setuid. AppArmor gives you the opportunity to *deny*
> that capability, so you can try blocking it and find out. But for
> documentation on why Thunderbird needs it, you would have to look at
> mozilla.org not the AppArmor pages.
Does cap_setuid give a program enough authority to break out of the
AppArmor profile?
Regards,
Brian
Powered by blists - more mailing lists