On 12/12/2012 06:29 PM, Andy Lutomirski wrote:
On Sat, Dec 8, 2012 at 3:57 PM, Andy Lutomirski wrote:
I just tried to search to find actual uses of pI/fI. Here's what I found:
I downloaded all the Fedora spec files and searched for file
capabilities. Assuming I didn't mess up, here's what
Quoting Andy Lutomirski (l...@amacapital.net):
> On Sat, Dec 8, 2012 at 3:57 PM, Andy Lutomirski wrote:
> >
> > I just tried to search to find actual uses of pI/fI. Here's what I found:
>
> I downloaded all the Fedora spec files and searched for file
> capabilities. Assuming I didn't mess up, h
On Sat, Dec 8, 2012 at 3:57 PM, Andy Lutomirski wrote:
>
> I just tried to search to find actual uses of pI/fI. Here's what I found:
I downloaded all the Fedora spec files and searched for file
capabilities. Assuming I didn't mess up, here's what I found:
fping.spec:%attr(0755,root,root) %caps
On Mon, Dec 10, 2012 at 11:55 AM, Andy Lutomirski wrote:
> Write a daemon. Rig up wrappers for each setuid program to instead
> call into that daemon and have that daemon invoke the privileged
> program on behalf of the caller, with a sanitized environment. Be
> annoyed by a few items on the "li
On Mon, Dec 10, 2012 at 11:51 AM, Casey Schaufler
wrote:
> On 12/10/2012 11:31 AM, Andy Lutomirski wrote:
>> On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler
>> wrote:
>>> On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
I think that the Windows approach is worth looking at. See here:
>
On 12/10/2012 11:31 AM, Andy Lutomirski wrote:
> On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler
> wrote:
>> On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
>>> I think that the Windows approach is worth looking at. See here:
>>>
>>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa3752
On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler
wrote:
> On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
>> I think that the Windows approach is worth looking at. See here:
>>
>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa375202%28v=vs.85%29.aspx
>>
>> In the Windows model, each c
On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
> On Mon, Dec 10, 2012 at 7:47 AM, Casey Schaufler
> wrote:
>> Put an ACL on the program file.
>> If you want different users to run with different privilege
>> make two copies of the program and give them different
>> ACLs and cap sets.
>> If your p
On Mon, Dec 10, 2012 at 7:47 AM, Casey Schaufler wrote:
> Put an ACL on the program file.
> If you want different users to run with different privilege
> make two copies of the program and give them different
> ACLs and cap sets.
> If your program is so big that making a copy is a disk space issue
On Mon, Dec 10, 2012 at 6:59 AM, Serge Hallyn
wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> It's especially bad because granting CAP_DAC_READ_SEARCH to user "foo"
>> doesn't mean anything. Is he authorized to back things up to
>> encrypted storage?
>
> We're talking about privileges
Quoting Casey Schaufler (ca...@schaufler-ca.com):
> On 12/10/2012 6:59 AM, Serge Hallyn wrote:
> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> It's especially bad because granting CAP_DAC_READ_SEARCH to user "foo"
> >> doesn't mean anything. Is he authorized to back things up to
> >> encry
On 12/10/2012 6:59 AM, Serge Hallyn wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> It's especially bad because granting CAP_DAC_READ_SEARCH to user "foo"
>> doesn't mean anything. Is he authorized to back things up to
>> encrypted storage?
> We're talking about privileges at the kernel
Quoting Andy Lutomirski (l...@amacapital.net):
> It's especially bad because granting CAP_DAC_READ_SEARCH to user "foo"
> doesn't mean anything. Is he authorized to back things up to
> encrypted storage?
We're talking about privileges at the kernel level here, and there is
no way this could be ex
Quoting Andrew G. Morgan (mor...@kernel.org):
> > It breaks down because, currently, users with nonzero pI have no
> > direct ability to wield the capabilities. That means that every
> > single binary with fI bits set needs to be as careful as a setuid-root
> > binary to avoid leaking privilege to
Quoting Andrew G. Morgan (mor...@kernel.org):
> I'm still missing something with the problem definition.
>
> So far if I follow the discussion we have determined that inheritance as
> implemented is OK except for the fact that giving user an inheritable pI
> bit which gives them default permission
On Sat, Dec 8, 2012 at 3:37 PM, Andy Lutomirski wrote:
>
> Again (any mainly because I feel like there's a giant mental
> disconnect here in that I really don't understand wtf the current /
> POSIX system is trying to accomplish): what would be wrong with a
> model in which capabilities could be f
On Sat, Dec 8, 2012 at 2:33 PM, Andrew G. Morgan wrote:
> On Fri, Dec 7, 2012 at 10:39 AM, Andy Lutomirski wrote:
>> It breaks down because, currently, users with nonzero pI have no
>> direct ability to wield the capabilities. That means that every
>> single binary with fI bits set needs to be a
On Fri, Dec 7, 2012 at 10:39 AM, Andy Lutomirski wrote:
> On Fri, Dec 7, 2012 at 9:07 AM, Andrew G. Morgan wrote:
>> I'm still missing something with the problem definition.
>>
>> So far if I follow the discussion we have determined that inheritance
>> as implemented is OK except for the fact tha
On Fri, Dec 7, 2012 at 9:07 AM, Andrew G. Morgan wrote:
> I'm still missing something with the problem definition.
>
> So far if I follow the discussion we have determined that inheritance
> as implemented is OK except for the fact that giving user an
> inheritable pI bit which gives them default
I'm still missing something with the problem definition.
So far if I follow the discussion we have determined that inheritance
as implemented is OK except for the fact that giving user an
inheritable pI bit which gives them default permission to use all
binaries endowed with the corresponding file
On 12/7/2012 6:42 AM, Serge E. Hallyn wrote:
> Quoting Casey Schaufler (ca...@schaufler-ca.com):
>> On 12/5/2012 2:20 PM, Serge Hallyn wrote:
>>> Quoting Andy Lutomirski (l...@amacapital.net):
On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn
wrote:
> Quoting Andy Lutomirski (l...@amacap
Quoting Casey Schaufler (ca...@schaufler-ca.com):
> On 12/5/2012 2:20 PM, Serge Hallyn wrote:
> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn
> >> wrote:
> >>> Quoting Andy Lutomirski (l...@amacapital.net):
> On Tue, Dec 4, 2012 at 5:54 AM
On 12/5/2012 2:20 PM, Serge Hallyn wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn
>> wrote:
>>> Quoting Andy Lutomirski (l...@amacapital.net):
On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn wrote:
> Quoting Andy Lutomirski (l...@
Quoting Andy Lutomirski (l...@amacapital.net):
> On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn
> wrote:
> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn wrote:
> >> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> >> >> d) If I really wa
On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn wrote:
>> > Quoting Andy Lutomirski (l...@amacapital.net):
>> >> >> d) If I really wanted, I could emulate execve without actually doing
>> >> >>
Quoting Andy Lutomirski (l...@amacapital.net):
> On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn wrote:
> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> >> d) If I really wanted, I could emulate execve without actually doing
> >> >> execve, and capabilities would be inherited.
> >> >
> >> >
On 12/05/2012 09:32 PM, Andy Lutomirski wrote:
>Anyway, implementing the features you want in a new module is encouraged,
>so long as the behavior of existing module stays the same.
I'll think about it some more and do it possibly using a sysctl.
Adding this kind of stuff in a module is asking f
On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> >> d) If I really wanted, I could emulate execve without actually doing
>> >> execve, and capabilities would be inherited.
>> >
>> > If you could modify the executable properties of the binar
Quoting Andy Lutomirski (l...@amacapital.net):
> >> d) If I really wanted, I could emulate execve without actually doing
> >> execve, and capabilities would be inherited.
> >
> > If you could modify the executable properties of the binary that has
> > the privilege to wield a privilege then you are
On Sun, Dec 2, 2012 at 6:20 PM, Andrew G. Morgan wrote:
> On Sun, Dec 2, 2012 at 3:04 PM, Andy Lutomirski wrote:
>> On Sun, Dec 2, 2012 at 2:26 PM, Andrew G. Morgan wrote:
>>> On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski
>>> wrote:
On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan wro
On Sun, Dec 2, 2012 at 3:04 PM, Andy Lutomirski wrote:
> On Sun, Dec 2, 2012 at 2:26 PM, Andrew G. Morgan wrote:
>> On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski wrote:
>>> On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan wrote:
There is a fairly well written paper ;-) explaining how th
On Sun, Dec 2, 2012 at 2:26 PM, Andrew G. Morgan wrote:
> On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski wrote:
>> On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan wrote:
>>> There is a fairly well written paper ;-) explaining how things are
>>> supposed to work:
>>>
>>> http://ols.fedorapro
On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski wrote:
> On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan wrote:
>> There is a fairly well written paper ;-) explaining how things are
>> supposed to work:
>>
>> http://ols.fedoraproject.org/OLS/Reprints-2008/hallyn-reprint.pdf
>>
>> The inherita
On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan wrote:
> There is a fairly well written paper ;-) explaining how things are
> supposed to work:
>
> http://ols.fedoraproject.org/OLS/Reprints-2008/hallyn-reprint.pdf
>
> The inheritable set is not intended to work the way you seem to want.
> Naive
There is a fairly well written paper ;-) explaining how things are
supposed to work:
http://ols.fedoraproject.org/OLS/Reprints-2008/hallyn-reprint.pdf
The inheritable set is not intended to work the way you seem to want.
Naive inheritance like that is quite explicitly the opposite of what
was d
I'd like to be able to run programs (like bash!) as nonroot but with
some capabilities granted. After all these years, it's almost, but
not quite, possible. This is because the transition rule (if root
isn't involved or NOROOT is set) is pP' = (pB' & fP) | (pI' & fI),
and, when execing a program
36 matches
Mail list logo