| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BANLkTikJqgwGixtgXKOY-2e=1sAQYUtbcQ@mail.gmail.com> Date: Tue, 19 Apr 2011 10:14:57 +0900 From: crocket <crockabiscuit@...il.com> To: "Serge E. Hallyn" <serge@...lyn.com> Cc: linux-kernel@...r.kernel.org Subject: Re: Linux capabilities shouldn't be lost during setuid to non-root from root or to another non-root uid from a non-root uid. Is there an existing utility that sets SECBIT_NO_SETUID_FIXUP? Or is there a way to set it without writing a C wrapper program? On Tue, Apr 19, 2011 at 7:02 AM, Serge E. Hallyn <serge@...lyn.com> wrote: > Quoting crocket (crockabiscuit@...il.com): >> I have several questions. >> >> 1) How do I set SECBIT_NO_SETUID_FIXUP? > > prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED) > > see capabilities(7) for details. > >> 2) Is there any reason to unset SECBIT_NO_SETUID_FIXUP by default? > > Yes, because it's what userspace expects. If you prefer to run in > a full POSIX capabilities environment with unprivileged root, you > can have init set SECBIT_NO_SETUID_FIXUP and SECBIT_NOROOT and > tune userspace to do the right thing, but it's not trivial. > > -serge > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists