Re: Filesystem Capabilities in 2.6?

Jesse Pollard (pollard@admin.navo.hpc.mil)
Mon, 4 Nov 2002 09:13:45 -0600


On Saturday 02 November 2002 10:54 pm, Linus Torvalds wrote:
> On Sat, 2 Nov 2002, Alexander Viro wrote:
> > No, that's OK -
> >
> > mount --bind /usr/bin/foo.real /usr/bin/foo.real
> > mount -o remount,nosuid /usr/bin/foo.real
>
> Ehh. With the nosuid mount that will remove the effectiveness of the suid
> bit (not just the user change - it will also mask off the elevation of the
> capabilities), so the bind-mount with the capability mask will now mask
> off nothing to start with.
>
> Wouldn't it be much nicer to have:
>
> /usr/bin/foo - no suid bits, no capabilities by default
>
> mount --bind --capability=xx,yy /usr/bin/foo /usr/bin/foo
>
> where the mount actually adds capabilities? Looks more understandable to
> me.

Only until the file the path name is connected to is replaced. Then the
trojan suddenly gains the capabilities of the real "foo".

Been there done that. That was one of the first security vulnerabilities
in the VMS implementation of ACLs.

-- 
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/