On Tue, 23 Oct 2007 10:34:09 CDT, "Serge E. Hallyn" said: > And he will still be able to *run* the suid binary, but if cap_bound is > reduced he won't be able to use capabilities taken out of the bounding > set, multiadm loaded or not.
I am willing to bet that there's still a *lot* of unaudited set[ug]id code out there that's vulnerable to the same sorts of attacks as the one that hit Sendmail a few back. As such, I have to agree with your original post of the patch that CAP_SYS_ADMIN should be required to lower the set, as there's just too much danger of an exploit if users can create their own reduced-set processes. I'm debating whether we should have a printk if we detect that a removed capability caused an -EPERM. Yes, it can be used to spam the logs. On the other hand, I as the sysadmin would like to know if it's happening. Looks like time for a sysctl or something....
pgpqCdr9MDnmX.pgp
Description: PGP signature
