lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20111019230909.GB32295@tango.0pointer.de>
Date:	Thu, 20 Oct 2011 01:09:09 +0200
From:	Lennart Poettering <mzxreary@...inter.de>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	Dan Ballard <dan@...dstab.net>,
	Randy Dunlap <rdunlap@...otime.net>,
	Ingo Molnar <mingo@...e.hu>,
	Kay Sievers <kay.sievers@...y.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/1] kernel/sysctl.c: Add cap_last_cap to
  /proc/sys/kernel

On Mon, 17.10.11 15:39, Andrew Morton (akpm@...ux-foundation.org) wrote:

> 
> On Sat, 15 Oct 2011 07:50:05 -0700
> Dan Ballard <dan@...dstab.net> wrote:
> 
> > Userspace needs to know the highest valid capability of the running
> > kernel, which right now cannot reliably be retrieved from the header
> > files only.  The fact that this value cannot be determined properly
> > right now creates various problems for libraries compiled on newer
> > header files which are run on older kernels. They assume
> > capabilities are available which actually aren't.
> 
> Specfically, what libraries are we talking about here?

libcap-ng, for example. And we ran into the same problem with systemd too.
> 
> > Now the capability is exported in /proc/sys/kernel/cap_last_cap.
> 
> Ever the optimist: is there any way in which we can avoid 0444
> permissions on this?

Normal users should be able to query this value, and it's not a security
problem if they do. Hence 0444 appears to be the right setting to me.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ