lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20080129130825.GD28931@sergelap.austin.ibm.com>
Date:	Tue, 29 Jan 2008 07:08:25 -0600
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	James Morris <jmorris@...ei.org>
Cc:	Matt LaPlante <kernel1@...erdogtech.com>,
	linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: "Default Linux Capabilities" default in 2.6.24

Quoting James Morris (jmorris@...ei.org):
> On Mon, 28 Jan 2008, Matt LaPlante wrote:
> 
> > On Thu, 24 Jan 2008 19:12:01 -0600
> > Matt LaPlante <kernel1@...erdogtech.com> wrote:
> > 
> > > 
> > > I'm doing a make oldconfig with the new 2.6.24 kernel.  I came to the prompt for "Default Linux Capabilities" which defaults to No:
> > > 
> > > ---
> > >  Default Linux Capabilities (SECURITY_CAPABILITIES) [N/y/?] (NEW) ?
> > > ---
> > > 
> > > However the help text recommends saying Yes.
> > > 
> > > ---
> > >  This enables the "default" Linux capabilities functionality.
> > >  If you are unsure how to answer this question, answer Y.
> > > ---
> > > 
> > > Does this seem incongruous?  Also, what's the "question"? :)
> > > 
> > > Thanks, 
> > > Matt LaPlante
> > 
> > Anyone?
> 
> I think this should be default y.

True, it was made the default when CONFIG_SECURITY=n a few years ago,
and switching it off when toggling CONFIG_SECURITY is probably unsafe
for unsuspecting users/testers.

Thanks Matt.

-serge

>From 0528f582de5534b972abddbb3294a3fb11435a21 Mon Sep 17 00:00:00 2001
From: sergeh@...ibm.com <hallyn@...nel.(none)>
Date: Tue, 29 Jan 2008 05:04:43 -0800
Subject: [PATCH 1/1] security: compile capabilities by default

Capabilities have long been the default when CONFIG_SECURITY=n,
and its help text suggests turning it on when CONFIG_SECURITY=y.
But it is set to default n.

Default it to y instead.

Signed-off-by: Serge Hallyn <serue@...ibm.com>
---
 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/security/Kconfig b/security/Kconfig
index 8086e61..389e151 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -76,6 +76,7 @@ config SECURITY_NETWORK_XFRM
 config SECURITY_CAPABILITIES
 	bool "Default Linux Capabilities"
 	depends on SECURITY
+	default y
 	help
 	  This enables the "default" Linux capabilities functionality.
 	  If you are unsure how to answer this question, answer Y.
-- 
1.5.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ