From: Theodore Ts'o (tytso_at_mit.edu)
Date: Wed 12 Nov 2003 - 03:48:10 GMT
On Tue, Nov 11, 2003 at 06:21:04PM -0600, Linas Vepstas wrote:
> > SETPCAP means you can not only lower but raise privs of process other
> > than yourself. It's a dangerious capability to give out.
> Well, yes, that was my point. I'm getting the feeling that its implemented
> incorrectly, that there should have been a pair of bits: LOWERPCAP and
> RAISEPCAP, instead of SETPCAP. Seems to me that LOWERPCAP, by allowing
> one process to take away the caps of another, is reasonably safe
> and useful. So I was trying ask if you/other gurus see something flawed
> with this line of reasoning.
Nope, it's hopelessly flawed. Lowering the privs of another process
without warning can cause severe security flaws, because it means that
operations that were expected to succeed suddenly start failing. And
And most programs do not do adequate error checks. You could argue
that they *should* be security architects have to deal with reality,
not with the fantasy "people should do X" world.
And of course, it's even worse if you're lowering the cabailities of
some other process such as an arbitrary system daemon.
You can lower your *own* capability, but having the power to lower
someone else's capabilities gives you the power to inflict infinite
Vserver mailing list