It seems an additional mechanism is needed to prevent LD_PRELOAD from loading
non-standard libraries for executables that are not suid/sgid, if those
executables have any effective or permitted capabilities that the calling
process doesn't have already.
This shouldn't be too hard; perhaps Ulrich has an opinion on that.
> I think the eventual plan was that we pass the kernel's current->dumpable
> as an ELF note. Not sure if it got done. Alternatively glibc could use
> prctl(PR_GET_DUMPABLE).
Sorry, I don't know exactly what was your plan here. Could you please explain?
A perhaps unrelated note: We once had Pavel Machek's elfcap implementation, in
which capabilities were stored in ELF. This was a bad idea because being able
to create executables does not imply the user is capable of CAP_SETFCAP, and
users shouldn't be able to freely choose their capabilities :-] We still want
to be able to grant additional capabilities to a binary that are not owned by
root though. Extended attributes to overcome this limitation.
There also has to be a mechanism to drop capabilities off binaries if they are
written to (on write or perhaps on open).
The final goal would be the `incapable root user', i.e., we would not give
suid root binaries any capabilities except those that are explicitly defined.
--Andreas.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/