Hi!
> > > How about another gid, then? Should we reset all caps on sgid exec?
> >
> > Yes. Any setuid/setgid exec is a security barrier, and weird (or new)
> > semantics may not cross that barrier.
>
> Right, so what I was saying was: if you reset all regular caps on sgid
> exec, anyone can trivially reset all regular caps by creating a sgid
> program (users are always members of a great many groups so "finding
> another gid to hijack" is trivial). So CAP_REG_SXID needs to be off
> all the time, so we lose again.
>
> But I'll make this a securebit ("unsanitized sxid"), with the behavior
> you advertise as default (0).
I'm not sure if fundamental security semantics should be optional, but
it is certainly better than before.
> > > Ultimately a compromise is to be reached between security and
> > > flexibility... The problem is, I don't know who should make the
> > > decision.
> >
> > Go for security here. (Normally, consensus on the list is needed for
> > merging the patch).
>
> I am now completely convinced the patch will never be merged. :-(
> Linux will have useless caps forever...
Well, merging the patches is not that hard.
tytso actually shown a clever way: add per-filesystem 'default
capability masks'. That should be fairly easy to merge, and
automatically back-compatible.
(And it would get tou semantics you wanted in inheritance area,
right?)
Pavel
--
Thanks for all the (sleeping) penguins.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
