| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Jun 2007 08:56:57 -0700 (PDT) From: Casey Schaufler <casey@...aufler-ca.com> To: "Serge E. Hallyn" <serue@...ibm.com>, Casey Schaufler <casey@...aufler-ca.com> Cc: Andrew Morgan <morgan@...nel.org>, "Serge E. Hallyn" <serue@...ibm.com>, "Serge E. Hallyn" <serge@...lyn.com>, Chris Wright <chrisw@...s-sol.org>, Andrew Morgan <agm@...gle.com>, Andrew Morton <akpm@...gle.com>, Stephen Smalley <sds@...ho.nsa.gov>, James Morris <jmorris@...ei.org>, linux-security-module@...r.kernel.org, lkml <linux-kernel@...r.kernel.org> Subject: Re: implement-file-posix-capabilities.patch --- "Serge E. Hallyn" <serue@...ibm.com> wrote: > Quoting Casey Schaufler (casey@...aufler-ca.com): > > > > --- Andrew Morgan <morgan@...nel.org> wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > Serge E. Hallyn wrote: > > > >> Does that explain it? > > > > > > > > Yes, thanks, but then it still could come in handy to have fE be a full > > > > bitset, so the application gets some eff caps automatically, while > > > > others it has to manually set... > > > > > > [We touched on this a number of emails back.] > > > > > > If an application is capability aware, it can manipulate its own > > > capabilities and should have fE=0. > > > > > > If an application is not capability aware, it needs to have *all* of its > > > capabilities enabled at exec() time. Otherwise, it won't work. > > > > The intent of the fE vector in the POSIX draft is that those capabilities > > are set on exec (lower vectors permitting). There are cases where it > > does make sense to raise just some (e.g. ping). > > > > > The only reason for having an fE bitmap is to allow a capability-aware > > > program (you really trust to do its privileged operations carefully) to > > > be lazy and get some of its capabilities raised for free. Perhaps you > > > can clarify why this is a desirable thing? :-) > > > > No, it's to allow you to grant a subset of the available capabilities > > to a program that is not aware of capabilities. You can give "date" > > the capability to reset the clock without giving it the capability > > to remove other people's files without changing the code or running > > it setuid. > > Would there be a difference between that and setting either fI or fP > (depending on your intent) to those caps, and setting fE=1 in Andrew's > scheme? Arg, you're making me think. The POSIX group went through this, let me see if I can reconstruct the logic. The main issue is one if there being a possible case where you have a capability ignorant program that you want to exec with a different fP and fE. On first glance it seems that since the program is capability ignorant it can't matter. But what if your capability ignorant program exec's a capability aware program to perform a helper function? You may well want the first program to have a capability that it does not use in fP (but not fE) to pass along to the helper program. True, you could probably come up with a way to set the capabilities on the helper program to account for this use, but there may be design and security constraints that make doing so complicated. Casey Schaufler casey@...aufler-ca.com - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists