Chris Wright <[EMAIL PROTECTED]> writes:
> * Alexander Nyberg ([EMAIL PROTECTED]) wrote:
>> I can see useful scenarios of having the possiblity of capabilities per
>> inode (it appears the xattr way wins somewhat in the previous
>> discussion).
>
> It's how it should be done.
I agree to disagree
ches that
> > > will get you to your goal. I understand that it's a real pain right now.
> > > One of the authors of the withdrawn draft has told me that the notion of
> > > capabilities w/out filesystem support was considered effectively useless.
> > > So,
Russell King, the latest person to notice defects, writes:
> However, the way the kernel is setup today, this seems
> impossible to achieve, which tends to make the whole
> idea of capabilities completely and utterly useless.
>
> How is this stuff supposed to work? Are my ideas of
> what's suppos
ry. BTW, thanks for reminding me of
> > scripts, I had been testing just C programs.
>
> I wouldn't call it useless, retaining capabilities across execve +
> pam_cap is a very useful thing, on my machine I can give myself a few
> capabilities that have always annoyed me (iirc the
> will get you to your goal. I understand that it's a real pain right now.
> One of the authors of the withdrawn draft has told me that the notion of
> capabilities w/out filesystem support was considered effectively useless.
> So, we're in uncharted territory. BTW, thanks for
* Russell King ([EMAIL PROTECTED]) wrote:
> At some point, I decided I'd like to run a certain program non-root
> with certain capabilities only. I looked at the above two programs
> and stupidly thought they'd actually allow me to do this.
>
> However, the way the kernel is setup today, this see
On Sat, Mar 12, 2005 at 07:21:17PM -0800, Chris Wright wrote:
> * Alexander Nyberg ([EMAIL PROTECTED]) wrote:
> > This makes it possible for a root-task to pass capabilities to
> > nonroot-task across execve. The root-task needs to change it's
> > cap_inheritable mask and set prctl(PR_SET_KEEPCAPS,
ers that can run all the way CAP_SYS_NICE, would give every audio man
his realtime applications. This is certainly possible with capabilities
across execve and pam_cap (using a few caps myself right now).
> > At execve time the capabilities will be passed on to the new
> >
Hi!
> This makes it possible for a root-task to pass capabilities to
> nonroot-task across execve. The root-task needs to change it's
> cap_inheritable mask and set prctl(PR_SET_KEEPCAPS, 1) to pass on
> capabilities.
> At execve time the capabilities will be passed on to the new
> nonroot-task a
* Alexander Nyberg ([EMAIL PROTECTED]) wrote:
> This makes it possible for a root-task to pass capabilities to
> nonroot-task across execve. The root-task needs to change it's
> cap_inheritable mask and set prctl(PR_SET_KEEPCAPS, 1) to pass on
> capabilities.
This overloads keepcaps, which could
This makes it possible for a root-task to pass capabilities to
nonroot-task across execve. The root-task needs to change it's
cap_inheritable mask and set prctl(PR_SET_KEEPCAPS, 1) to pass on
capabilities.
At execve time the capabilities will be passed on to the new
nonroot-task and any non-inheri
11 matches
Mail list logo
