| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 07 Dec 2012 19:10:04 -0600 From: Rob Landley <rob@...dley.net> To: Andy Lutomirski <luto@...capital.net> Cc: Serge Hallyn <serge.hallyn@...onical.com>, James Morris <james.l.morris@...cle.com>, linux-security-module@...r.kernel.org, Casey Schaufler <casey@...aufler-ca.com>, linux-kernel@...r.kernel.org, Eric Paris <eparis@...hat.com>, "Andrew G. Morgan" <morgan@...nel.org>, mtk.manpages@...il.com Subject: Re: [PATCH] Document how capability bits work On 12/07/2012 01:32:18 PM, Andy Lutomirski wrote: > On Fri, Dec 7, 2012 at 11:21 AM, Serge Hallyn > <serge.hallyn@...onical.com> wrote: > > Quoting Andy Lutomirski (luto@...capital.net): > >> Signed-off-by: Andy Lutomirski <luto@...capital.net> > >> --- > >> Documentation/security/capabilities.txt | 161 > ++++++++++++++++++++++++++++++++ > >> 1 file changed, 161 insertions(+) > >> create mode 100644 Documentation/security/capabilities.txt > > > > TBH, I think a pointer to the capabilities.7 man page would be > better. > > (plus, if you feel they are needed, updates to the man page) > > Updating capabilities.7 wouldn't be a bad idea, but IMO it certainly > needs work. For example, it says: ... > I would be happy to revise this patch to reference capabilities.7. The capabilities.7 man page is existing maintained documentation on how to use this from userspace, which seems to be the point of your document. Having include/linux/uapi/capability.h mention its existence might be good. Feeding fixes to the documentation we've already got would be good. I read your document having largely ignored capabilities for years, and don't feel I have a better understanding of them after reading it. (I'm aware they exist, I'm aware they're used as a justification for extended attributes, I'm aware people think breaking a fireplace into a bunch of candleflames increases fire safety. I'm aware of http://forums.grsecurity.net/viewtopic.php?f=7&t=2522 and I _used_ to be aware of http://userweb.kernel.org/~morgan/sendmail-capabilities-war-story.html but kernel.org never bothered putting most of itself back together after the breakin last year and archive.org doesn't have a copy. I'm aware that a decade ago at Atlanta Linux Showcase in california Ted Tso was sad nobody was using them yet. But I haven't hugely been tracking changes over the last 5 years in how they work. It looks like figuring out who has what involves working through exercises in set theory that cannot be explained using a 127 bit ascii set. Personally, I prefer "more dangerous" security setups that don't require I pull out scratch paper to reason about the state of the system, so perhaps I'm biased here.) Rob-- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists