[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0710231725550.16684@fbirervta.pbzchgretzou.qr>
Date: Tue, 23 Oct 2007 17:28:25 +0200 (CEST)
From: Jan Engelhardt <jengelh@...putergmbh.de>
To: "Serge E. Hallyn" <serge@...lyn.com>
cc: Giacomo Catenazzi <cate@...ian.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andreas Gruenbacher <agruen@...e.de>,
Thomas Fricaccia <thomas_fricacci@...oo.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
James Morris <jmorris@...ei.org>
Subject: Re: LSM conversion to static interface
On Oct 23 2007 10:20, Serge E. Hallyn wrote:
>
>Once the per-process capability bounding set is accepted
>(http://lkml.org/lkml/2007/10/3/315) you will be able to do something
>like:
>
> 1. Create user 'jdoe' with uid 0
UID 0 is _not_ acceptable for me.
> 2. write a pam module which, when jdoe logs in, takes
> CAP_NET_ADMIN out of his capability bounding set
> 3. Now jdoe can log in with the kind of capabilities subset
> you describe.
It is not that easy.
CAP_DAC_OVERRIDE is given to the subadmin to bypass the pre-security
checks in kernel code, and then the detailed implementation of
limitation is done inside multiadm.
This is not just raising or lowering capabilities.
>It's not a perfect solution, since it doesn't allow jdoe any way at all
>to directly execute a file with more caps (setuid and file capabilities
>are subject to the capbound). So there is certainly still a place for
>multiadm.
A normal user can execute suid binaries today, and so can s/he with mtadm.
I do not see where that will change - it does not need any caps atm.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists