[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <46252471.2030006@tls.msk.ru>
Date: Tue, 17 Apr 2007 23:48:01 +0400
From: Michael Tokarev <mjt@....msk.ru>
To: linux-kernel@...r.kernel.org
Subject: Wondering: why capabilities system is broken?
Hopefully not a flamewar question...
Currently, capabilities of a process are reset during exec()
system call. At least effective+permitted set.
1) In case new uid != 0, all the caps are cleared, so it is not
possible to execute a program as non-root but still give it some
capabilities (like, say, CAP_NET_BIND_SERVICE).
2) In case new uid == 0, effective and permitted sets are restored
to all-ones.
This is regardless of other settings, like prctl(KEEPCAPS), or
the current set of capabilities.
I partly understand why 2) is done - in case of setuid binary being
executed, all the capabilities are set for it. But this breaks
executing non-setuid binaries too -- for example, it'd be very nice
to be able to chroot to some directory, and remove CAP_SYS_CHROOT
(and other evil caps like CAP_SYS_MODULE, CAP_SETPCAP) -- this way,
with minimal efforts, chroot will work almost (yes, I understand
it's not entirely the same) the same as BSD jail(2) concept.
So the question is: why capability sets are being reinitialized during
exec()? At least in 2.4 era, they weren't... and stuff like
execcap, sucaps etc was working. Now they aren't anymore.
Thanks.
/mjt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists