lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20080129104428.787c6c6f.kernel1@cyberdogtech.com>
Date:	Tue, 29 Jan 2008 10:44:28 -0600
From:	Matt LaPlante <kernel1@...erdogtech.com>
To:	"Serge E. Hallyn" <serue@...ibm.com>
Cc:	James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org
Subject: Re: "Default Linux Capabilities" default in 2.6.24

On Tue, 29 Jan 2008 07:08:25 -0600
"Serge E. Hallyn" <serue@...ibm.com> wrote:

> Quoting James Morris (jmorris@...ei.org):
> > On Mon, 28 Jan 2008, Matt LaPlante wrote:
> > 
> > > On Thu, 24 Jan 2008 19:12:01 -0600
> > > Matt LaPlante <kernel1@...erdogtech.com> wrote:
> > > 
> > > > 
> > > > I'm doing a make oldconfig with the new 2.6.24 kernel.  I came to the prompt for "Default Linux Capabilities" which defaults to No:
> > > > 
> > > > ---
> > > >  Default Linux Capabilities (SECURITY_CAPABILITIES) [N/y/?] (NEW) ?
> > > > ---
> > > > 
> > > > However the help text recommends saying Yes.
> > > > 
> > > > ---
> > > >  This enables the "default" Linux capabilities functionality.
> > > >  If you are unsure how to answer this question, answer Y.
> > > > ---
> > > > 
> > > > Does this seem incongruous?  Also, what's the "question"? :)
> > > > 
> > > > Thanks, 
> > > > Matt LaPlante
> > > 
> > > Anyone?
> > 
> > I think this should be default y.
> 
> True, it was made the default when CONFIG_SECURITY=n a few years ago,
> and switching it off when toggling CONFIG_SECURITY is probably unsafe
> for unsuspecting users/testers.
> 
> Thanks Matt.
> 
> -serge
> 
> From 0528f582de5534b972abddbb3294a3fb11435a21 Mon Sep 17 00:00:00 2001
> From: sergeh@...ibm.com <hallyn@...nel.(none)>
> Date: Tue, 29 Jan 2008 05:04:43 -0800
> Subject: [PATCH 1/1] security: compile capabilities by default
> 
> Capabilities have long been the default when CONFIG_SECURITY=n,
> and its help text suggests turning it on when CONFIG_SECURITY=y.
> But it is set to default n.
> 
> Default it to y instead.
> 
> Signed-off-by: Serge Hallyn <serue@...ibm.com>
> ---
>  security/Kconfig |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/security/Kconfig b/security/Kconfig
> index 8086e61..389e151 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -76,6 +76,7 @@ config SECURITY_NETWORK_XFRM
>  config SECURITY_CAPABILITIES
>  	bool "Default Linux Capabilities"
>  	depends on SECURITY
> +	default y
>  	help
>  	  This enables the "default" Linux capabilities functionality.
>  	  If you are unsure how to answer this question, answer Y.
> -- 
> 1.5.1
> 

Acked-by: Matt LaPlante <kernel1@...erdogtech.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ