On Wed, 26 Dec 2007 18:06:53 -0600 "Serge E. Hallyn" <[EMAIL PROTECTED]> wrote:
> Quoting Chris Friedhoff ([EMAIL PROTECTED]): > > Hello, > > > > in updating the documetation http://www.friedhoff.org/posixfilecaps.html > > I noticed a change in the behavior. > > > > There was the behavior, when the extended attribute capability was > > present but with empty sets, even a suid-0-bit binary was not having > > the right to request a call for which capabilities in-kernel are > > defined. suid-0-bit ping with an empty capability set provoked an EPERM > > > > Now, when the extended attribute is present but empty and for ping - as > > an example - cap_net_raw is not granted, root-power overrules the lack > > of the necessary capability. > > > > Shall the presents of file capability constrain root power or shall > > root power overrule file capability? > > I think the only rule we can reasonably use is: existing setuid > semantics shall not be adversely affected by capabilities. > > So when !issecure(SECURE_NOROOT), then a setuid root binary should > always run with all root privileges (barring capability bounding > sets). However if issecure(SECURE_NOROOT), then a setuid root binary > should run with no special privileges. But I don't expect anyone to > really use that until Andrew Morgan resubmits the per-process > SECURE_NOROOT patch. > > My question is - when did it ever behave differently?? > > -serge I think it was around one year ago, when I was documenting this behavior. I was able to reproduce this behavior with kernel 2.6.20.21 implement-file-posix-capabilities.patch file-capabilities-dont-do-file-caps-if-mnt_nosuid.patch libcap-1.10-25.kg.3 the patches are from: http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.20/2.6.20-mm2/broken-out/ Admittedly, at that time I probably hadn't seen file-capabilities-honor-secure_noroot.patch which allows (since than ?) root to keep its capabilities instead considering the present of file capabilities. Bottom line: No questions, I'm content and I learned something I wasn't aware of Chris -------------------- Chris Friedhoff [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
