lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20061123001458.fe73f64a.akpm@osdl.org>
Date:	Thu, 23 Nov 2006 00:14:58 -0800
From:	Andrew Morton <akpm@...l.org>
To:	"Serge E. Hallyn" <serue@...ibm.com>
Cc:	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	Stephen Smalley <sds@...ho.nsa.gov>,
	James Morris <jmorris@...ei.org>,
	Chris Wright <chrisw@...s-sol.org>,
	KaiGai Kohei <kaigai@...gai.gr.jp>,
	Chris Friedhoff <chris@...edhoff.org>,
	Alexey Dobriyan <adobriyan@...il.com>
Subject: Re: security: introduce file caps

On Mon, 13 Nov 2006 21:06:55 -0600
"Serge E. Hallyn" <serue@...ibm.com> wrote:

> Implement file posix capabilities.  This allows programs to be given
> a subset of root's powers regardless of who runs them, without
> having to use setuid and giving the binary all of root's powers.

With this patch applied, my X server fails to exit when I do the normal
logout thing from the KDE menus.

The distro is FC5, SELinux is enabled.  I start X via `startx'.

All the X clients have gone away, but the server continues to run.  Black
screen with just a mouse pointer which still responds to movement.

This happens with CONFIG_SECURITY_FS_CAPABILITIES=n as well as =y.

ps auxfw says:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.1  0.0   2000   676 ?        Ss   01:04   0:00 init [3]                                                                                                                                                 
root         2  0.0  0.0      0     0 ?        SN   01:04   0:00 [ksoftirqd/0]
root         3  0.0  0.0      0     0 ?        S    01:04   0:00 [watchdog/0]
root         4  0.0  0.0      0     0 ?        S<   01:04   0:00 [events/0]
root         5  0.0  0.0      0     0 ?        S<   01:04   0:00 [khelper]
root         6  0.0  0.0      0     0 ?        S<   01:04   0:00 [kthread]
root        47  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [kblockd/0]
root        48  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [kacpid]
root       152  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [ata/0]
root       153  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [ata_aux]
root       154  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [ksuspend_usbd]
root       157  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [khubd]
root       159  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [kseriod]
root       179  0.0  0.0      0     0 ?        S    01:04   0:00  \_ [pdflush]
root       180  0.0  0.0      0     0 ?        S    01:04   0:00  \_ [pdflush]
root       181  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [kswapd0]
root       182  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [aio/0]
root       291  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [scsi_eh_0]
root       292  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [scsi_eh_1]
root       297  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [scsi_eh_2]
root       298  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [scsi_eh_3]
root       311  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [pccardd]
root       321  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [kpsmoused]
root       326  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [kedac]
root       354  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [kjournald]
root       740  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [hda_codec]
root       975  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [khpsbpkt]
root      1110  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [knodemgrd_0]
root      1680  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [kauditd]
root      2237  0.0  0.0      0     0 ?        S<   01:04   0:00  \_ [ipw2200/0]
root       421  0.0  0.0   2212   648 ?        S<s  01:04   0:00 /sbin/udevd -d
root      1427  0.0  0.0   1584   280 ?        Ss   01:04   0:00 cpuspeed -d -n
root      1624  0.0  0.0   1652   592 ?        Ss   01:04   0:00 syslogd -m 0
root      1627  0.0  0.0   1604   392 ?        Ss   01:04   0:00 klogd -x
rpc       1644  0.0  0.0   1736   552 ?        Ss   01:04   0:00 portmap
rpcuser   1663  0.0  0.0   1744   716 ?        Ss   01:04   0:00 rpc.statd
root      1678  0.0  0.0   9944   604 ?        S<sl 01:04   0:00 auditd
root      1707  0.0  0.0   4728   584 ?        Ss   01:04   0:00 rpc.idmapd
dbus      1721  0.0  0.1  11268  1104 ?        Ssl  01:04   0:00 dbus-daemon --system
root      1763  0.0  0.0   1820   460 ?        Ss   01:04   0:00 /usr/bin/hidd --server
root      1850  0.0  0.0   1872   748 ?        Ss   01:04   0:00 /usr/sbin/automount --timeout=60 --debug /net program /etc/auto.net
root      1863  0.0  0.0   1600   460 ?        Ss   01:04   0:00 /usr/sbin/acpid
root      1872  0.0  0.0   5008   488 ?        Ss   01:04   0:00 ./hpiod
root      1877  0.0  0.4  12572  4720 ?        S    01:04   0:00 python ./hpssd.py
root      1888  0.0  0.1   4984  1100 ?        Ss   01:04   0:00 /usr/sbin/sshd
root      2354  0.0  0.2   7800  2516 ?        Ss   01:04   0:00  \_ sshd: akpm [priv]
akpm      2408  0.0  0.1   7928  1964 ?        S    01:04   0:00  |   \_ sshd: akpm@.../0 
akpm      2443  0.0  0.2   5872  2364 pts/0    Ss+  01:04   0:00  |       \_ -zsh
root      3198  0.0  0.2   7800  2512 ?        Ss   01:05   0:00  \_ sshd: akpm [priv]
akpm      3202  0.0  0.1   7928  2004 ?        S    01:05   0:00      \_ sshd: akpm@.../1 
akpm      3209  0.0  0.2   6004  2568 pts/1    Ss   01:05   0:00          \_ -zsh
akpm      3264  0.0  0.0   2104   840 pts/1    R+   01:11   0:00              \_ ps auxfw
root      1900  0.0  0.0   2228   808 ?        Ss   01:04   0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
ntp       1912  0.0  0.4   4244  4244 ?        SLs  01:04   0:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root      1957  0.0  0.0   1824   344 ?        Ss   01:04   0:00 gpm -m /dev/input/mice -t exps2
root      1966  0.0  0.1   5188  1192 ?        Ss   01:04   0:00 crond
xfs       2001  0.1  0.2   4204  2492 ?        Ss   01:04   0:00 xfs -droppriv -daemon
root      2010  0.0  0.0   1596   496 ?        SNs  01:04   0:00 anacron -s
root      2018  0.0  0.0   2164   444 ?        Ss   01:04   0:00 /usr/sbin/atd
root      2027  0.0  0.1   3136  1152 ?        Ss   01:04   0:00 cups-config-daemon
68        2037  0.6  0.3   5100  3436 ?        Ss   01:04   0:02 hald
root      2038  0.0  0.1   3136  1048 ?        S    01:04   0:00  \_ hald-runner
68        2044  0.0  0.0   2236   868 ?        S    01:04   0:00      \_ /usr/libexec/hald-addon-acpi
68        2052  0.0  0.0   2236   872 ?        S    01:04   0:00      \_ /usr/libexec/hald-addon-keyboard
root      2127  0.0  0.1   2744  1316 ?        Ss   01:04   0:00 login -- akpm     
akpm      2453  0.0  0.2   5968  2492 tty1     Ss+  01:04   0:00  \_ -zsh
root      2128  0.0  0.0   1588   408 tty2     Ss+  01:04   0:00 /sbin/mingetty tty2
root      2129  0.0  0.0   1588   408 tty3     Ss+  01:04   0:00 /sbin/mingetty tty3
root      2130  0.0  0.0   1584   404 tty4     Ss+  01:04   0:00 /sbin/mingetty tty4
root      2131  0.0  0.0   1584   404 tty5     Ss+  01:04   0:00 /sbin/mingetty tty5
root      2132  0.0  0.0   1584   404 tty6     Ss+  01:04   0:00 /sbin/mingetty tty6
root      2753  0.0  0.1   8364  1928 ?        Ss   01:05   0:00 sendmail: accepting connections
smmsp     2764  0.0  0.1   7344  1712 ?        Ss   01:05   0:00 sendmail: Queue runner@01:00:00 for /var/spool/clientmqueue
root      2784  0.7  0.8  13284  8428 tty7     Ss+  01:05   0:02 X :0 -auth /home/akpm/.serverauth.2767
akpm      2948  0.0  0.0   2864   264 ?        Ss   01:05   0:00 syndaemon -k -i 1 -d

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ