Re: Filesystem Capabilities in 2.6?

Olaf Dietsche (olaf.dietsche#list.linux-kernel@t-online.de)
Sun, 03 Nov 2002 14:52:18 +0100


Linus Torvalds <torvalds@transmeta.com> writes:

> On the other hand, I have this suspicion that the most secure setup is one
> that the sysadmin is _used_ to, and knows all the pitfalls of. Which
> obviously is a big argument for just maintaining the status quo with suid
> binaries.

As is shown every now and then, when the next security hole is
reported. So we stay at the lowest common denominator.

I've always had good experience with educating people, not with
dumbing them down. But maybe I've been just lucky then and worked
with very smart people.

> We have decades of knowledge on how to minimize the negative impact of
> suid (I've used sendmail as an example of a suid program, and yet last I
> looked sendmail was actually pretty careful about dropping all unnecessary
> privileges very early on).

So we throw out the baby with the bath water. This is conservatism at
it's worst.

> And as Al points out, new security features don't mean that you can just
> stop being careful.

Stating the obvious. Capabilities are not an end in itself, nor is suid
root. It's just another line of defense to help with these binaries,
which are _not_ capability aware.

Regards, Olaf.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/