Thats a hard problem. Since your scan is non atomic and because you have
directory notifications a running processes can have the setuid apps can
move the setuid bits around the file system to hide from you.
> - trivially show each and every binary that is allowed elevated
> permissions (and _which_ elevated permissions) by just doing a "mount".
>
> - and since the mount trees are really per-process, you can allow certain
> process groups to have mounts that others don't have.
>
> I think that as a anal-retentive security admin, I'd like such a system.
Being able to give process trees a file system view which has certain
capability raising properties removed is basically the existing
capability mechanism but with a cleaner interface and more powerful
semantics.
Doing that with just mount properties and using them to revoke rights
works for me. There is a vfs corner case (clearly the setuid bit of a
file that isnt setuid from this namespace point of view) which is very
very important but not hard to get right.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/