Re: Filesystem Capabilities in 2.6?

Oliver Xymoron (oxymoron@waste.org)
Sat, 2 Nov 2002 21:50:17 -0600


On Sat, Nov 02, 2002 at 07:23:11PM -0800, Linus Torvalds wrote:
>
> On Sat, 2 Nov 2002, Alexander Viro wrote:
> >
> > <shrug> that can be done without doing anything to filesystem.
> > Namely, turn current "nosuid" of vfsmount into a mask of capabilities.
> > Then use bindings instead of links.
>
> I like that idea. It's very explicit, and clearly name-based, and we do
> have 99% of the support for it already.

Bindings are cool, but once you start talking about doing a lot of
them, they're rather ungainly due to not actually being persisted on
the filesystem, no?

A better approach is to just make a user-space capabilities-wrapper
that's setuid, drops capabilities quickly and safely and calls the
real app. Something like:

# mv ping ping.real
# chmod -s ping.real
# mkcapwrap +net_raw ping.real
# chmod +s ping
# showcapwrap ping
invokes /bin/ping
grants net_raw
#

No fs magic, no persistence issues, all user-space.

-- 
 "Love the dolphins," she advised him. "Write by W.A.S.T.E.." 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/