[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060911160002.78419.qmail@web36614.mail.mud.yahoo.com>
Date: Mon, 11 Sep 2006 09:00:02 -0700 (PDT)
From: Casey Schaufler <casey@...aufler-ca.com>
To: David Madore <david.madore@....fr>
Cc: Linux Kernel mailing-list <linux-kernel@...r.kernel.org>
Subject: Re: capability inheritance (was: Re: patch to make Linux capabilities into something useful (v 0.3.1))
--- David Madore <david.madore@....fr> wrote:
> I can see no way of reconciling the POSIX rules with
> sane Unix behavior.
While one strives to maintain the decorum of
friendly debate, "Them's fighting words"*.
Have you read the POSIX DRAFT rationale section?
Have you read any of the DRAFT, for that matter?
Breaking privilege apart from UID==0 and the
setuid mechanism while allowing a system that
could still work without requiring programs
to be rewritten took quite a while. The DRAFT
versions don't differ that greatly after about
DRAFT 12. The scheme has been implemented
several times.
> Hence I can only give up if someone
> insists that the POSIX
> draft should be adhered to.
>
> (Just in case someone were tempted to get away with
> a handwaving such
> as "just follow the POSIX rules except for suid
> root...", let that
> someone please try to come up with a full
> description of the rules
> which breaks nothing, and he will understand that
> it's not at all easy.)
The relationship between setuid and file based
capabilitiy sets is straitforward. There is
none. If your system supports root or capability
(like Irix) or strictly capability (like Trix)
the calculation is identical. There is a full
descrition of the rules in the DRAFT. If you
have questions about it, I'd be happy to dust
off my copy to help you understand it.
----
* Yosemite Sam in "High Diving Hare", 1949
Casey Schaufler
casey@...aufler-ca.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists