lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1354929004.20497.4@driftwood>
Date:	Fri, 07 Dec 2012 19:10:04 -0600
From:	Rob Landley <rob@...dley.net>
To:	Andy Lutomirski <luto@...capital.net>
Cc:	Serge Hallyn <serge.hallyn@...onical.com>,
	James Morris <james.l.morris@...cle.com>,
	linux-security-module@...r.kernel.org,
	Casey Schaufler <casey@...aufler-ca.com>,
	linux-kernel@...r.kernel.org, Eric Paris <eparis@...hat.com>,
	"Andrew G. Morgan" <morgan@...nel.org>, mtk.manpages@...il.com
Subject: Re: [PATCH] Document how capability bits work

On 12/07/2012 01:32:18 PM, Andy Lutomirski wrote:
> On Fri, Dec 7, 2012 at 11:21 AM, Serge Hallyn
> <serge.hallyn@...onical.com> wrote:
> > Quoting Andy Lutomirski (luto@...capital.net):
> >> Signed-off-by: Andy Lutomirski <luto@...capital.net>
> >> ---
> >>  Documentation/security/capabilities.txt | 161  
> ++++++++++++++++++++++++++++++++
> >>  1 file changed, 161 insertions(+)
> >>  create mode 100644 Documentation/security/capabilities.txt
> >
> > TBH, I think a pointer to the capabilities.7 man page would be  
> better.
> > (plus, if you feel they are needed, updates to the man page)
> 
> Updating capabilities.7 wouldn't be a bad idea, but IMO it certainly
> needs work.  For example, it says:
...
> I would be happy to revise this patch to reference capabilities.7.

The capabilities.7 man page is existing maintained documentation on how  
to use this from userspace, which seems to be the point of your  
document. Having include/linux/uapi/capability.h mention its existence  
might be good. Feeding fixes to the documentation we've already got  
would be good.

I read your document having largely ignored capabilities for years, and  
don't feel I have a better understanding of them after reading it. (I'm  
aware they exist, I'm aware they're used as a justification for  
extended attributes, I'm aware people think breaking a fireplace into a  
bunch of candleflames increases fire safety. I'm aware of  
http://forums.grsecurity.net/viewtopic.php?f=7&t=2522 and I _used_ to  
be aware of  
http://userweb.kernel.org/~morgan/sendmail-capabilities-war-story.html  
but kernel.org never bothered putting most of itself back together  
after the breakin last year and archive.org doesn't have a copy. I'm  
aware that a decade ago at Atlanta Linux Showcase in california Ted Tso  
was sad nobody was using them yet. But I haven't hugely been tracking  
changes over the last 5 years in how they work. It looks like figuring  
out who has what involves working through exercises in set theory that  
cannot be explained using a 127 bit ascii set. Personally, I prefer  
"more dangerous" security setups that don't require I pull out scratch  
paper to reason about the state of the system, so perhaps I'm biased  
here.)

Rob--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ