Re: Filesystem Capabilities in 2.6?

Dax Kelson (dax@gurulabs.com)
Sat, 2 Nov 2002 21:00:38 -0700 (MST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Akira Tsukamoto: "Re: [PATCH] Athlon cache-line fix"
Previous message: Akira Tsukamoto: "Re: [PATCH] 2/2 2.5.45 cleanup & add original copy_ro/from_user"

On Sat, 2 Nov 2002, Oliver Xymoron wrote:

> # mv ping ping.real
> # chmod -s ping.real
> # mkcapwrap +net_raw ping.real
> # chmod +s ping
> # showcapwrap ping
> invokes /bin/ping
> grants net_raw
> #

Do you mean?

# mv ping ping.real
# chmod -s ping.real
# mkcapwrap +net_raw ping
# chmod +s ping
# showcapwrap ping
invokes /bin/ping.real
grants net_raw
#

The wrapper needs to setuid/gid to the uid/gid that invokes it.

uid root with no caps (or few caps) is still very powerful (replace
binaries owned by root, read /etc/shadow, etc).

Currently all capabilities are cleared when non-root app does a execp.
This would need to be addressed.

Dax

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Akira Tsukamoto: "Re: [PATCH] Athlon cache-line fix"
Previous message: Akira Tsukamoto: "Re: [PATCH] 2/2 2.5.45 cleanup & add original copy_ro/from_user"