On Aug 9, 2005, at 11:16:33, Christopher Warner wrote:
In my observer pragmatic view; yes. On many occasion, i've come to CAP
calls only to be frustrated with the sheer disconnect of it all. It
simply doesn't work. If it means having to break posix conformance
for a
working implementation. The
In my observer pragmatic view; yes. On many occasion, i've come to CAP
calls only to be frustrated with the sheer disconnect of it all. It
simply doesn't work. If it means having to break posix conformance for a
working implementation. Then so be it.
-- Christopher Warner
On Tue, 2005-08-09 at 00
Hello,
Ts'o wrote:
>since _obviously_ when root calls setuid(), it never fails, right?
Well this really depends on how privileged a certain root user (think of
SELinux and others) is.
>(2) There was some debate about whether or not this method was the
>
course of wisdom,
James M
On Tue, 9 Aug 2005, David Madore wrote:
> the "process management" part. For example, I might like to run this
> or that binary, which claims it needs to be run as root, with a
> limited set of capabilities: the current Linux kernels make this quite
> impossible.
Not impossible with SELinux.
-
On Tue, Aug 09, 2005 at 01:53:50AM +, Theodore Ts'o wrote:
> The POSIX specification for capabilities requires filesystem support,
> so that each executables can be marked with three capability sets ---
> which indicate which capabilities are asserted when the executable
> starts, which capabil
Let me play the Devil's advocate here.
Should we be thinking about deprecating and removing capabilities from
Linux?
- James
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordom
On Mon, Aug 08, 2005 at 11:53:33PM +, David Wagner wrote:
> David Madore wrote:
> >This does not tell me, then, why CAP_SETPCAP was globally disabled by
> >default, nor why passing of capabilities across execve() was entirely
> >removed instead of being fixed.
>
> I do not know of any good re
David Madore wrote:
>This does not tell me, then, why CAP_SETPCAP was globally disabled by
>default, nor why passing of capabilities across execve() was entirely
>removed instead of being fixed.
I do not know of any good reason. Perhaps the few folks who knew enough
to fix it properly didn't fee
Sorry for replying to myself...
On Mon, Aug 08, 2005 at 09:13:06PM +, David Madore wrote:
> However, what I do not understand is precisely _how_ one gets a
> sendmail process without CAP_SETUID: for that is the heart of the
> problem, and that is where the bug really was. But [#3] and [#4] ar
Hi.
Like many people[#1][#2], I have found out that the Linux capability
handling utilities are non-functional, and cannot be repaired because
the kernel deliberately cripples capabilities (they are reset on every
call to execve()). I have found that various people[#1][#2] have
proposed patches t
10 matches
Mail list logo
