On Tue, 23 Oct 2007 10:34:09 CDT, "Serge E. Hallyn" said: > And he will still be able to *run* the suid binary, but if cap_bound is > reduced he won't be able to use capabilities taken out of the bounding > set, multiadm loaded or not. I am willing to bet that there's still a *lot* of unaudited set[ug]id code out there that's vulnerable to the same sorts of attacks as the one that hit Sendmail a few back. As such, I have to agree with your original post of the patch that CAP_SYS_ADMIN should be required to lower the set, as there's just too much danger of an exploit if users can create their own reduced-set processes. I'm debating whether we should have a printk if we detect that a removed capability caused an -EPERM. Yes, it can be used to spam the logs. On the other hand, I as the sysadmin would like to know if it's happening. Looks like time for a sysctl or something....
Attachment:
pgpCvd6pRTPz0.pgp
Description: PGP signature
- References:
- Re: LSM conversion to static interface
- From: Linus Torvalds <[email protected]>
- Re: LSM conversion to static interface
- From: Andreas Gruenbacher <[email protected]>
- Re: LSM conversion to static interface
- From: Linus Torvalds <[email protected]>
- Re: LSM conversion to static interface
- From: Jan Engelhardt <[email protected]>
- Re: LSM conversion to static interface
- From: Giacomo Catenazzi <[email protected]>
- Re: LSM conversion to static interface
- From: Jan Engelhardt <[email protected]>
- Re: LSM conversion to static interface
- From: "Serge E. Hallyn" <[email protected]>
- Re: LSM conversion to static interface
- From: Jan Engelhardt <[email protected]>
- Re: LSM conversion to static interface
- From: "Serge E. Hallyn" <[email protected]>
- Re: LSM conversion to static interface
- Prev by Date: Re: x86 compile failure on 2.6.24-rc1
- Next by Date: Re: x86 compile failure on 2.6.24-rc1
- Previous by thread: Re: LSM conversion to static interface
- Next by thread: Re: LSM conversion to static interface
- Index(es):
 |