Re: Filesystem Capabilities in 2.6?

Alexander Viro (viro@math.psu.edu)
Sat, 2 Nov 2002 19:43:59 -0500 (EST)


On Sat, 2 Nov 2002, Linus Torvalds wrote:

>
> On Sat, 2 Nov 2002, Rik van Riel wrote:
> >
> > Sure it's more flexible, but I wonder how many userland
> > programs will be broken if we change the permission model
> > and how well users can protect their data this way.
>
> This is not a "change". Existing behaviour clearly cannot change. We're
> talking about new interfaces to export capabilities in the filesystem.
>
> And pathnames are a _hell_ of a lot better and straightforward interface
> than inode numbers are. It's confusing when you change the permission on
> one path to notice that another path magically changed too.

It's equally confusing to find out that link(2) doesn't preserve
file properties.

Frankly, I'm less than sure that ability to raise capabilities is
a good thing - being able to drop them is certainly nice, but I doubt
that partial suid-root will be better than full suid-root and it
certainly makes security model even more complex. And incomplete
understanding of security model is a great recipe for PITA - demonstrated
way too many times already...

Folks, seriously - it might be very tempting to add features in that
area, but more features actually increase overall security. Just look
at the track record of systems with baroque security models and ask
yourself whether we want to go there.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/