> This is a change of behaviour in a fairly security sensitive area, so I'd
> like us to step back and ask - should we fix the code or the comment?
>
> An application using prctl()[1] is capability aware. I think it is fair
> (and more secure) if we require these applications to explicitly request
> raising capabilities in the effective set, after the switch from euid == 0
> to euid != 0.
>
> Comments?
With the current behaviour an app has to link against libcap and do:
prtctl(PR_SET_KEEPCAPS, 1)
pre_caps = (capgetp(0, cap_init()) // save our caps into a struct
setuid(uid)
setgid(gid)
capsetp(0,pre_caps) // Restore them
With this patch, the app does:
prtctl(PR_SET_KEEPCAPS, 1)
setuid(uid)
setgid(gid)
The end result is exactly the same. I'm trying to envision how this patch
would change security in a negative way. I keep coming back to the Unix
idea of "don't be smarter than the admin; don't try to protect root from
himself".
Maybe we could enchance PR_SET_KEEPCAPS so that:
prtctl(PR_SET_KEEPCAPS, 2) kept both the permitted and the effective caps.
Dax Kelson
Guru Labs
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/