lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Thu, 6 Feb 2014 22:30:36 +0100
From:	"Serge E. Hallyn" <>
To:	Aaron Jones <>
Subject: Re: File capabilities are not 'working' and I have no idea why

Quoting Aaron Jones (
> Hash: SHA256
> I have isolated the problem. File capabilities are not assigned when
> the program being executed is located on a filesystem mounted with
> the "nosuid" option.
> This seems counter-intuitive; a fully capability-based system would
> not use setuid binaries...

Not strictly true.  setuid really just means 'change uid'.  The fact
that it can also raise/lower capability sets just muddles the issue.
If you want that behavior stopped you can do so using

>  so a logical thing to do would be to
> prevent the setuid bits from doing anything, which is what the
> nosuid flag is for, no?
> Or am I missing something?
> Can we get a config flag to toggle this behaviour?

I think generally when people mount nosuid it is to prevent
an untrusted source (usb stick, whatever) from providing a
untrusted but privileged program.  Be that through setuid-root
binaries or file capabilities.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists