| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070124163004.GA15979@sgi.com> Date: Wed, 24 Jan 2007 10:30:05 -0600 From: "Bill O'Donnell" <billodo@....com> To: KaiGai Kohei <kaigai@...gai.gr.jp>, "Serge E. Hallyn" <serue@...ibm.com>, Chris Friedhoff <chris@...edhoff.org> Cc: linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, Stephen Smalley <sds@...ho.nsa.gov> Subject: Re: [PATCH] Implement file posix capabilities I'm in the process of testing the (backported) capabilities patch and Kaigai's userspace tools on a SLES10 based x86-64 target (2.6.16). Chris Friedhoff's examples (http://www.friedhoff.org/fscaps.html) run cleanly. That said, can one expect, through the use of these enhanced capabilities, to be able to add some finer grain capabilities based on a specific userid? In Chris' ping example, the suid is removed from /bin/ping to restrict it to root, and a capability added to allow any user to execute it. Can that example be extended to make it so only a _particular_ user can execute it? I realize with SELinux, one could achieve the goal, but as a stopgap, can capabilities be used to get there? Thanks, Bill -- Bill O'Donnell SGI billodo@....com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists