This sounds like the right way to go. I do hope the configuration
file includes an SHA checksum of the secutable. And to avoid race
conditions, there really ought to be a new system call, fexecve(2)
which takes an open file descriptor instead of a pathname.
(Unfortunately, we're in feature freeze now, so that will have to wait
until 2.7.)
Failing that, though, /usr/bin/super should really check the
permissions starting from the root of the entire pathaname, and fail
the exec if any of the containing directories are writable by a
non-root user. (And of course, the executable should not be writable
by a non-root users for the same reason.)
With these checks, though, adding support for capabilities in
/usr/bin/super sounds like the right approach. It doesn't require any
kernel changes (well, fexecve(2) would be nice, but it's not strictly
required). There is of course a slight performance penalty associated
with the use of the helper program, but the start time of most setuid
root programs probably isn't a performance critical concern.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/