I've been meaning to send an email on this topic for a while now...
> I discussed the issue with the capabilities maintainer (Andrew Morgan) and
> we decided upon a simple solution;
>
> If a process has its capabilities changed via sys_capset(), it is marked
> as capability aware. When a "capability aware" process does setuid(0 ->
> !=0), capabilities are not cleared. The "capability aware" flag is cleared
> on exec().
Allow me to second this suggestion. In the present state capabilities are
useless on Linux as a means of privilege isolation, since they can't be
used by anyone besides root on any standard Linux distribution.
I was thinking of system calls along the lines of sys_setsecurebits() and
sys_getsecurebits(), along with a capability to allow changes.
Your solution sounds like a much better approach.
I want to be able to start a daemon, drop all capabilities except the one
I need, and then setuid() to a non-privileged user.
Linux needs your patch!
Thanks,
Chris Wing
wingc@engin.umich.edu
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/