Re: Filesystem Capabilities in 2.6?

Alan Cox (alan@lxorguk.ukuu.org.uk)
03 Nov 2002 12:57:43 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alan Cox: "Re: Filesystem Capabilities in 2.6?"
Previous message: Alan Cox: "Re: Filesystem Capabilities in 2.6?"
Next in thread: Bernd Eckenfels: "Re: Filesystem Capabilities in 2.6?"
Reply: Bernd Eckenfels: "Re: Filesystem Capabilities in 2.6?"

On Sun, 2002-11-03 at 03:35, Linus Torvalds wrote:
> With a simple extended binfmt_misc.c or binfmt_script.c, we could do a
> capability escape (that only removes capabilities, but allows for suid
> shells) fairly easily if people really want it. And it would work on any
> almost-UNIXy filesystem, including NFS etc.
>
> But I like Al's idea of mount binds even more, although it requires maybe
> a bit more administration.

The two are seperate things IMHO

Namespaces is a way to inherit revocation of rights on a large scale (or
a small one true). #! is a way to handle program specific revocation of
rights which _is_ filesystem persistent.

The former is a database view, the latter is an actual database change

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: Filesystem Capabilities in 2.6?"
Previous message: Alan Cox: "Re: Filesystem Capabilities in 2.6?"
Next in thread: Bernd Eckenfels: "Re: Filesystem Capabilities in 2.6?"
Reply: Bernd Eckenfels: "Re: Filesystem Capabilities in 2.6?"