On 12/12/2012 06:29 PM, Andy Lutomirski wrote:
On Sat, Dec 8, 2012 at 3:57 PM, Andy Lutomirski wrote:
I just tried to search to find actual uses of pI/fI. Here's what I found:
I downloaded all the Fedora spec files and searched for file
capabilities. Assuming I didn't mess up, here's what
On 12/12/2012 06:29 PM, Andy Lutomirski wrote:
On Sat, Dec 8, 2012 at 3:57 PM, Andy Lutomirski l...@amacapital.net wrote:
I just tried to search to find actual uses of pI/fI. Here's what I found:
I downloaded all the Fedora spec files and searched for file
capabilities. Assuming I didn't
Quoting Andy Lutomirski (l...@amacapital.net):
> On Sat, Dec 8, 2012 at 3:57 PM, Andy Lutomirski wrote:
> >
> > I just tried to search to find actual uses of pI/fI. Here's what I found:
>
> I downloaded all the Fedora spec files and searched for file
> capabilities. Assuming I didn't mess up,
On Sat, Dec 8, 2012 at 3:57 PM, Andy Lutomirski wrote:
>
> I just tried to search to find actual uses of pI/fI. Here's what I found:
I downloaded all the Fedora spec files and searched for file
capabilities. Assuming I didn't mess up, here's what I found:
fping.spec:%attr(0755,root,root)
On Sat, Dec 8, 2012 at 3:57 PM, Andy Lutomirski l...@amacapital.net wrote:
I just tried to search to find actual uses of pI/fI. Here's what I found:
I downloaded all the Fedora spec files and searched for file
capabilities. Assuming I didn't mess up, here's what I found:
Quoting Andy Lutomirski (l...@amacapital.net):
On Sat, Dec 8, 2012 at 3:57 PM, Andy Lutomirski l...@amacapital.net wrote:
I just tried to search to find actual uses of pI/fI. Here's what I found:
I downloaded all the Fedora spec files and searched for file
capabilities. Assuming I
On Mon, Dec 10, 2012 at 11:55 AM, Andy Lutomirski wrote:
> Write a daemon. Rig up wrappers for each setuid program to instead
> call into that daemon and have that daemon invoke the privileged
> program on behalf of the caller, with a sanitized environment. Be
> annoyed by a few items on the
On Mon, Dec 10, 2012 at 11:51 AM, Casey Schaufler
wrote:
> On 12/10/2012 11:31 AM, Andy Lutomirski wrote:
>> On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler
>> wrote:
>>> On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
I think that the Windows approach is worth looking at. See here:
On 12/10/2012 11:31 AM, Andy Lutomirski wrote:
> On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler
> wrote:
>> On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
>>> I think that the Windows approach is worth looking at. See here:
>>>
>>>
On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler
wrote:
> On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
>> I think that the Windows approach is worth looking at. See here:
>>
>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa375202%28v=vs.85%29.aspx
>>
>> In the Windows model, each
On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
> On Mon, Dec 10, 2012 at 7:47 AM, Casey Schaufler
> wrote:
>> Put an ACL on the program file.
>> If you want different users to run with different privilege
>> make two copies of the program and give them different
>> ACLs and cap sets.
>> If your
On Mon, Dec 10, 2012 at 7:47 AM, Casey Schaufler wrote:
> Put an ACL on the program file.
> If you want different users to run with different privilege
> make two copies of the program and give them different
> ACLs and cap sets.
> If your program is so big that making a copy is a disk space
On Mon, Dec 10, 2012 at 6:59 AM, Serge Hallyn
wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> It's especially bad because granting CAP_DAC_READ_SEARCH to user "foo"
>> doesn't mean anything. Is he authorized to back things up to
>> encrypted storage?
>
> We're talking about privileges
Quoting Casey Schaufler (ca...@schaufler-ca.com):
> On 12/10/2012 6:59 AM, Serge Hallyn wrote:
> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> It's especially bad because granting CAP_DAC_READ_SEARCH to user "foo"
> >> doesn't mean anything. Is he authorized to back things up to
> >>
On 12/10/2012 6:59 AM, Serge Hallyn wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> It's especially bad because granting CAP_DAC_READ_SEARCH to user "foo"
>> doesn't mean anything. Is he authorized to back things up to
>> encrypted storage?
> We're talking about privileges at the
Quoting Andy Lutomirski (l...@amacapital.net):
> It's especially bad because granting CAP_DAC_READ_SEARCH to user "foo"
> doesn't mean anything. Is he authorized to back things up to
> encrypted storage?
We're talking about privileges at the kernel level here, and there is
no way this could be
Quoting Andrew G. Morgan (mor...@kernel.org):
> > It breaks down because, currently, users with nonzero pI have no
> > direct ability to wield the capabilities. That means that every
> > single binary with fI bits set needs to be as careful as a setuid-root
> > binary to avoid leaking privilege
Quoting Andrew G. Morgan (mor...@kernel.org):
> I'm still missing something with the problem definition.
>
> So far if I follow the discussion we have determined that inheritance as
> implemented is OK except for the fact that giving user an inheritable pI
> bit which gives them default
Quoting Andrew G. Morgan (mor...@kernel.org):
I'm still missing something with the problem definition.
So far if I follow the discussion we have determined that inheritance as
implemented is OK except for the fact that giving user an inheritable pI
bit which gives them default permission to
Quoting Andrew G. Morgan (mor...@kernel.org):
It breaks down because, currently, users with nonzero pI have no
direct ability to wield the capabilities. That means that every
single binary with fI bits set needs to be as careful as a setuid-root
binary to avoid leaking privilege to the
Quoting Andy Lutomirski (l...@amacapital.net):
It's especially bad because granting CAP_DAC_READ_SEARCH to user foo
doesn't mean anything. Is he authorized to back things up to
encrypted storage?
We're talking about privileges at the kernel level here, and there is
no way this could be
On 12/10/2012 6:59 AM, Serge Hallyn wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
It's especially bad because granting CAP_DAC_READ_SEARCH to user foo
doesn't mean anything. Is he authorized to back things up to
encrypted storage?
We're talking about privileges at the kernel level
Quoting Casey Schaufler (ca...@schaufler-ca.com):
On 12/10/2012 6:59 AM, Serge Hallyn wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
It's especially bad because granting CAP_DAC_READ_SEARCH to user foo
doesn't mean anything. Is he authorized to back things up to
encrypted storage?
On Mon, Dec 10, 2012 at 6:59 AM, Serge Hallyn
serge.hal...@canonical.com wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
It's especially bad because granting CAP_DAC_READ_SEARCH to user foo
doesn't mean anything. Is he authorized to back things up to
encrypted storage?
We're talking
On Mon, Dec 10, 2012 at 7:47 AM, Casey Schaufler ca...@schaufler-ca.com wrote:
Put an ACL on the program file.
If you want different users to run with different privilege
make two copies of the program and give them different
ACLs and cap sets.
If your program is so big that making a copy is
On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
On Mon, Dec 10, 2012 at 7:47 AM, Casey Schaufler ca...@schaufler-ca.com
wrote:
Put an ACL on the program file.
If you want different users to run with different privilege
make two copies of the program and give them different
ACLs and cap sets.
On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler
ca...@schaufler-ca.com wrote:
On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
I think that the Windows approach is worth looking at. See here:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa375202%28v=vs.85%29.aspx
In the Windows
On 12/10/2012 11:31 AM, Andy Lutomirski wrote:
On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler
ca...@schaufler-ca.com wrote:
On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
I think that the Windows approach is worth looking at. See here:
On Mon, Dec 10, 2012 at 11:51 AM, Casey Schaufler
ca...@schaufler-ca.com wrote:
On 12/10/2012 11:31 AM, Andy Lutomirski wrote:
On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler
ca...@schaufler-ca.com wrote:
On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
I think that the Windows approach is
On Mon, Dec 10, 2012 at 11:55 AM, Andy Lutomirski l...@amacapital.net wrote:
Write a daemon. Rig up wrappers for each setuid program to instead
call into that daemon and have that daemon invoke the privileged
program on behalf of the caller, with a sanitized environment. Be
annoyed by a few
On Sat, Dec 8, 2012 at 3:37 PM, Andy Lutomirski wrote:
>
> Again (any mainly because I feel like there's a giant mental
> disconnect here in that I really don't understand wtf the current /
> POSIX system is trying to accomplish): what would be wrong with a
> model in which capabilities could be
On Sat, Dec 8, 2012 at 2:33 PM, Andrew G. Morgan wrote:
> On Fri, Dec 7, 2012 at 10:39 AM, Andy Lutomirski wrote:
>> It breaks down because, currently, users with nonzero pI have no
>> direct ability to wield the capabilities. That means that every
>> single binary with fI bits set needs to be
On Fri, Dec 7, 2012 at 10:39 AM, Andy Lutomirski wrote:
> On Fri, Dec 7, 2012 at 9:07 AM, Andrew G. Morgan wrote:
>> I'm still missing something with the problem definition.
>>
>> So far if I follow the discussion we have determined that inheritance
>> as implemented is OK except for the fact
On Fri, Dec 7, 2012 at 10:39 AM, Andy Lutomirski l...@amacapital.net wrote:
On Fri, Dec 7, 2012 at 9:07 AM, Andrew G. Morgan mor...@kernel.org wrote:
I'm still missing something with the problem definition.
So far if I follow the discussion we have determined that inheritance
as implemented
On Sat, Dec 8, 2012 at 2:33 PM, Andrew G. Morgan mor...@kernel.org wrote:
On Fri, Dec 7, 2012 at 10:39 AM, Andy Lutomirski l...@amacapital.net wrote:
It breaks down because, currently, users with nonzero pI have no
direct ability to wield the capabilities. That means that every
single binary
On Sat, Dec 8, 2012 at 3:37 PM, Andy Lutomirski l...@amacapital.net wrote:
Again (any mainly because I feel like there's a giant mental
disconnect here in that I really don't understand wtf the current /
POSIX system is trying to accomplish): what would be wrong with a
model in which
On Fri, Dec 7, 2012 at 9:07 AM, Andrew G. Morgan wrote:
> I'm still missing something with the problem definition.
>
> So far if I follow the discussion we have determined that inheritance
> as implemented is OK except for the fact that giving user an
> inheritable pI bit which gives them default
I'm still missing something with the problem definition.
So far if I follow the discussion we have determined that inheritance
as implemented is OK except for the fact that giving user an
inheritable pI bit which gives them default permission to use all
binaries endowed with the corresponding
On 12/7/2012 6:42 AM, Serge E. Hallyn wrote:
> Quoting Casey Schaufler (ca...@schaufler-ca.com):
>> On 12/5/2012 2:20 PM, Serge Hallyn wrote:
>>> Quoting Andy Lutomirski (l...@amacapital.net):
On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn
wrote:
> Quoting Andy Lutomirski
Quoting Casey Schaufler (ca...@schaufler-ca.com):
> On 12/5/2012 2:20 PM, Serge Hallyn wrote:
> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn
> >> wrote:
> >>> Quoting Andy Lutomirski (l...@amacapital.net):
> On Tue, Dec 4, 2012 at 5:54
Quoting Casey Schaufler (ca...@schaufler-ca.com):
On 12/5/2012 2:20 PM, Serge Hallyn wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn serge.hal...@canonical.com
wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
On Tue, Dec 4, 2012
On 12/7/2012 6:42 AM, Serge E. Hallyn wrote:
Quoting Casey Schaufler (ca...@schaufler-ca.com):
On 12/5/2012 2:20 PM, Serge Hallyn wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn serge.hal...@canonical.com
wrote:
Quoting Andy Lutomirski
I'm still missing something with the problem definition.
So far if I follow the discussion we have determined that inheritance
as implemented is OK except for the fact that giving user an
inheritable pI bit which gives them default permission to use all
binaries endowed with the corresponding
On Fri, Dec 7, 2012 at 9:07 AM, Andrew G. Morgan mor...@kernel.org wrote:
I'm still missing something with the problem definition.
So far if I follow the discussion we have determined that inheritance
as implemented is OK except for the fact that giving user an
inheritable pI bit which gives
On 12/5/2012 2:20 PM, Serge Hallyn wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn
>> wrote:
>>> Quoting Andy Lutomirski (l...@amacapital.net):
On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn wrote:
> Quoting Andy Lutomirski
On 12/5/2012 2:20 PM, Serge Hallyn wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn serge.hal...@canonical.com
wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn se...@hallyn.com wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
> On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn
> wrote:
> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn wrote:
> >> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> >> >> d) If I really
On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn wrote:
>> > Quoting Andy Lutomirski (l...@amacapital.net):
>> >> >> d) If I really wanted, I could emulate execve without actually doing
>> >>
Quoting Andy Lutomirski (l...@amacapital.net):
> On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn wrote:
> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> >> d) If I really wanted, I could emulate execve without actually doing
> >> >> execve, and capabilities would be inherited.
> >> >
> >>
On 12/05/2012 09:32 PM, Andy Lutomirski wrote:
>Anyway, implementing the features you want in a new module is encouraged,
>so long as the behavior of existing module stays the same.
I'll think about it some more and do it possibly using a sysctl.
Adding this kind of stuff in a module is asking
On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> >> d) If I really wanted, I could emulate execve without actually doing
>> >> execve, and capabilities would be inherited.
>> >
>> > If you could modify the executable properties of the
On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn se...@hallyn.com wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
d) If I really wanted, I could emulate execve without actually doing
execve, and capabilities would be inherited.
If you could modify the executable properties of the
On 12/05/2012 09:32 PM, Andy Lutomirski wrote:
Anyway, implementing the features you want in a new module is encouraged,
so long as the behavior of existing module stays the same.
I'll think about it some more and do it possibly using a sysctl.
Adding this kind of stuff in a module is asking
Quoting Andy Lutomirski (l...@amacapital.net):
On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn se...@hallyn.com wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
d) If I really wanted, I could emulate execve without actually doing
execve, and capabilities would be inherited.
If
On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn serge.hal...@canonical.com wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn se...@hallyn.com wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
d) If I really wanted, I could emulate execve
Quoting Andy Lutomirski (l...@amacapital.net):
On Wed, Dec 5, 2012 at 1:05 PM, Serge Hallyn serge.hal...@canonical.com
wrote:
Quoting Andy Lutomirski (l...@amacapital.net):
On Tue, Dec 4, 2012 at 5:54 AM, Serge E. Hallyn se...@hallyn.com wrote:
Quoting Andy Lutomirski
Quoting Andy Lutomirski (l...@amacapital.net):
> >> d) If I really wanted, I could emulate execve without actually doing
> >> execve, and capabilities would be inherited.
> >
> > If you could modify the executable properties of the binary that has
> > the privilege to wield a privilege then you
Quoting Andy Lutomirski (l...@amacapital.net):
d) If I really wanted, I could emulate execve without actually doing
execve, and capabilities would be inherited.
If you could modify the executable properties of the binary that has
the privilege to wield a privilege then you are either
On Sun, Dec 2, 2012 at 6:20 PM, Andrew G. Morgan wrote:
> On Sun, Dec 2, 2012 at 3:04 PM, Andy Lutomirski wrote:
>> On Sun, Dec 2, 2012 at 2:26 PM, Andrew G. Morgan wrote:
>>> On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski
>>> wrote:
On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan
On Sun, Dec 2, 2012 at 3:04 PM, Andy Lutomirski wrote:
> On Sun, Dec 2, 2012 at 2:26 PM, Andrew G. Morgan wrote:
>> On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski wrote:
>>> On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan wrote:
There is a fairly well written paper ;-) explaining how
On Sun, Dec 2, 2012 at 2:26 PM, Andrew G. Morgan wrote:
> On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski wrote:
>> On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan wrote:
>>> There is a fairly well written paper ;-) explaining how things are
>>> supposed to work:
>>>
>>>
On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski wrote:
> On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan wrote:
>> There is a fairly well written paper ;-) explaining how things are
>> supposed to work:
>>
>> http://ols.fedoraproject.org/OLS/Reprints-2008/hallyn-reprint.pdf
>>
>> The
On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan wrote:
> There is a fairly well written paper ;-) explaining how things are
> supposed to work:
>
> http://ols.fedoraproject.org/OLS/Reprints-2008/hallyn-reprint.pdf
>
> The inheritable set is not intended to work the way you seem to want.
>
There is a fairly well written paper ;-) explaining how things are
supposed to work:
http://ols.fedoraproject.org/OLS/Reprints-2008/hallyn-reprint.pdf
The inheritable set is not intended to work the way you seem to want.
Naive inheritance like that is quite explicitly the opposite of what
was
There is a fairly well written paper ;-) explaining how things are
supposed to work:
http://ols.fedoraproject.org/OLS/Reprints-2008/hallyn-reprint.pdf
The inheritable set is not intended to work the way you seem to want.
Naive inheritance like that is quite explicitly the opposite of what
was
On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan mor...@kernel.org wrote:
There is a fairly well written paper ;-) explaining how things are
supposed to work:
http://ols.fedoraproject.org/OLS/Reprints-2008/hallyn-reprint.pdf
The inheritable set is not intended to work the way you seem to
On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski l...@amacapital.net wrote:
On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan mor...@kernel.org wrote:
There is a fairly well written paper ;-) explaining how things are
supposed to work:
On Sun, Dec 2, 2012 at 2:26 PM, Andrew G. Morgan mor...@kernel.org wrote:
On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski l...@amacapital.net wrote:
On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan mor...@kernel.org wrote:
There is a fairly well written paper ;-) explaining how things are
On Sun, Dec 2, 2012 at 3:04 PM, Andy Lutomirski l...@amacapital.net wrote:
On Sun, Dec 2, 2012 at 2:26 PM, Andrew G. Morgan mor...@kernel.org wrote:
On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski l...@amacapital.net wrote:
On Sun, Dec 2, 2012 at 9:21 AM, Andrew G. Morgan mor...@kernel.org
On Sun, Dec 2, 2012 at 6:20 PM, Andrew G. Morgan mor...@kernel.org wrote:
On Sun, Dec 2, 2012 at 3:04 PM, Andy Lutomirski l...@amacapital.net wrote:
On Sun, Dec 2, 2012 at 2:26 PM, Andrew G. Morgan mor...@kernel.org wrote:
On Sun, Dec 2, 2012 at 10:35 AM, Andy Lutomirski l...@amacapital.net
I'd like to be able to run programs (like bash!) as nonroot but with
some capabilities granted. After all these years, it's almost, but
not quite, possible. This is because the transition rule (if root
isn't involved or NOROOT is set) is pP' = (pB' & fP) | (pI' & fI),
and, when execing a program
I'd like to be able to run programs (like bash!) as nonroot but with
some capabilities granted. After all these years, it's almost, but
not quite, possible. This is because the transition rule (if root
isn't involved or NOROOT is set) is pP' = (pB' fP) | (pI' fI),
and, when execing a program
72 matches
Mail list logo