| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BANLkTimELd0WhNYkaQOQuV1vnr+5jAgTZA@mail.gmail.com> Date: Tue, 19 Apr 2011 23:27:07 +0900 From: crocket <crockabiscuit@...il.com> To: "Serge E. Hallyn" <serge@...lyn.com> Cc: linux-kernel@...r.kernel.org Subject: Re: Linux capabilities shouldn't be lost during setuid to non-root from root or to another non-root uid from a non-root uid. Thanks for the precious information. I think capsh should be introduced somewhere in some manuals. On Tue, Apr 19, 2011 at 10:14 AM, crocket <crockabiscuit@...il.com> wrote: > Is there an existing utility that sets SECBIT_NO_SETUID_FIXUP? > Or is there a way to set it without writing a C wrapper program? > > On Tue, Apr 19, 2011 at 7:02 AM, Serge E. Hallyn <serge@...lyn.com> wrote: >> Quoting crocket (crockabiscuit@...il.com): >>> I have several questions. >>> >>> 1) How do I set SECBIT_NO_SETUID_FIXUP? >> >> prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED) >> >> see capabilities(7) for details. >> >>> 2) Is there any reason to unset SECBIT_NO_SETUID_FIXUP by default? >> >> Yes, because it's what userspace expects. If you prefer to run in >> a full POSIX capabilities environment with unprivileged root, you >> can have init set SECBIT_NO_SETUID_FIXUP and SECBIT_NOROOT and >> tune userspace to do the right thing, but it's not trivial. >> >> -serge >> > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists