Has either lscap or chcap been written? I suppose not as that would
require a consensus on how capabilities would be stored as a EA.
That EA would need to be "special" and only be changeable by uid 0 (or
CAP_CHFSCAP).
So, has any of the below changed now that LSM has entered the picture?
1. Define how capabilities will be stored as a EA
2. Teach fs/exec.c to use the capabilities stored with the file
3. Write lscap(1)
4. Write chcap(1)
5. Audit/fix all SUID root binaries to be capabilities aware
6. Set appropriate capabilities with for each with chcap(1) and then:
# find / -type f -perm -4000 -user root -exec chmod u-s {} \;
7. Party and snicker in the general direction of that OS with the slogan
"One remote hole in the default install, in nearly 6 years!"
Dax Kelson
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/