lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060906132623.GA15665@clipper.ens.fr>
Date:	Wed, 6 Sep 2006 15:26:23 +0200
From:	David Madore <david.madore@....fr>
To:	Linux Kernel mailing-list <linux-kernel@...r.kernel.org>
Subject: Re: patch to make Linux capabilities into something useful (v 0.3.1)

On Wed, Sep 06, 2006 at 10:06:35AM +0000, David Madore wrote:
> On Wed, Sep 06, 2006 at 12:27:50AM +0000, Casey Schaufler wrote:
> > The current work in progress to support
> > capability set on files will address this
> > longstanding issue.
> 
> It seems to me that the issues of the capability inheritance semantics
> and the capability filesystem support are quite orthogonal.  My patch
> provides the first, and will quite happily live with a patch such as
> <URL: http://lwn.net/Articles/142507/ > providing filesystem support.
> 
> Even in the absence of filesystem support, there is no reason for
> capabilities not to be inheritable: this is what my patch addresses.
> Of course, it is even more interesting in the presence of filesystem
> support.  (I could provide a combined patch that would do both, with
> xattrs, as a proof of concept.)

Followup on this: maybe you were referring to the patch in <URL:
http://groups.google.com/group/fa.linux.kernel/msg/61d191383c8b19f9
 > (= <URL: http://lkml.org/lkml/2006/7/29/221 >), by Serge E. Hallyn,
which adds filesystem support for capabilities.  I haven't actually
checked in detail, but reading throught it, it appears to be quite
compatible with my own patch (one merely needs to do something about
the new bunch of capabilities I've introduced, but it should be easy
to hack something which makes sure no programs are surprised or
broken).  I'll try to come up with a combined patch soon, which will
add both the inheritability support I suggest *and* filesystem
support.

I emphasize that the filesystem support patch described above, alone,
will *not* solve the inheritability problem (as my patch does), since
unmarked executables continue to inherit no caps at all.  With my
patch, they behave as though they had a full inheritable set,
something which is required if we want to make something useful of
capabilities on non-caps-aware programs.

-- 
     David A. Madore
    (david.madore@....fr,
     http://www.madore.org/~david/ )
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ