-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew Morton wrote: | On Fri, 01 Feb 2008 00:11:37 -0800 "Andrew G. Morgan" <[EMAIL PROTECTED]> wrote: | |> [This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES |> is enabled at configure time.] | | Patches like this scare the pants off me.
Nice to know I'm not being mediocre! :-D | I'd have to recommend that distributors not enable this feature (if we | merge it) until they have 100% convinced themselves that it is 100% | correct. FWIW I'm in complete agreement if you are referring to CONFIG_SECURITY_FILE_CAPABILITIES and not just this patch... As to the rest, the short version: * The sendmail thing was a subtle problem trying to map setuid(non-0) into a capability framework. The long and the short of it was that an unprivileged user could prevent a privileged application from exercising all of the privilege it needed and getting root access as a result. * I'm saying setuid(0) apps will most definitely continue to be supported by a kernel even with CONFIG_SECURITY_FILE_CAPABILITIES=y. All the patch does is make it possible for a capable(CAP_SETPCAP) process to declare itself as the parent of a process tree in which that is not the case. Here is the very very long version (which took some time to write, and I thought was a bit much to spam these lists with): http://userweb.kernel.org/~morgan/sendmail-capabilities-war-story.html Cheers Andrew -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHpVjP+bHCR3gb8jsRAsMtAJ9XqR0yaeY8O3F8/nCdoALPksKZOQCg06/7 pJOZRfMORnI8YfIcta5nVLw= =Rpj4 -----END PGP SIGNATURE----- - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html