> But I like Al's idea of mount binds even more, although it requires maybe
> a bit more administration.
OK, will do - will be fun to take a break from drivers/* and devfs excrements
I'm digging in...
BTW, here's a fresh demonstration (found half an hour ago) that capabilities
do *not* permit more lax attitude when writing stuff with elevated priveleges:
* /usr/lib/games/nethack/recover is run at the boot time (as root)
to recover crashed games.
* Debian nethack 3.4.0-3.1 has it installed root.games and it
is group-writable - cretinism in debian/rules, upstream is not guilty
in that (BTW, so is /usr/lib/games/nethack/recover-helper).
* ergo, any exploitable hole in sgid-games binary (rogue, for
instance) is trivially elevated to root exploit.
Capabilities will *not* help that one - suid-games binaries need
to be able to write as 'games', that's the whole reason why they are
suid-games. Normally they use it to create save files. And quite a
few of them are ripe with exploits - c.f. recent rogue(6) holes.
Normally that would lead only to ability to screw others' save
files (and potentially to compromise their accounts, if corrupted save
file can trigger a hole in another game). Besides, many of these beasts
are old and didn't get too much attention.
Now, combined with packaging fuckup (which is a nice prototype of
ACL fuckups to come) we get a lovely path leading to root exploit. Bugger
all, one *still* has to think when writing code. A shame, isn't it?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/