Re: [RFC] [PATCH] file posix capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"Serge E. Hallyn" <[email protected]> writes:

> Quoting Serge E. Hallyn ([email protected]):
>> This patch implements file (posix) capabilities.  This allows
>> a binary to gain a subset of root's capabilities without having
>> the file actually be setuid root.
>> 
>> There are some other implementations out there taking various
>> approaches.  This patch keeps all the changes within the
>> capability LSM, and stores the file capabilities in xattrs
>> named "security.capability".  First question is, do we want
>> this in the kernel?  Second is, is this sort of implementation
>> we'd want?
>> 
>> Some userspace tools to manipulate the fscaps are at
>> www.sr71.net/~hallyn/fscaps/.  For instance,
>> 
>> 	setcap writeroot "cap_dac_read_search,cap_dac_override+eip"
>> 
>> allows the 'writeroot' testcase to write to /root/ab when
>> run as a normal user.
>> 
>> This patch doesn't address the need to update
>> cap_bprm_secureexec().

Looking at your ondisk format it doesn't look like you include a
version.  There is no reason to believe the current set of kernel
capabilities is fixed for all time.  So we need some for of
forward/backward compatibility.  Maybe in the cap name?

Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux