-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Serge E. Hallyn wrote: | Andrew, this pretty much was bound to happen... we need to figure out | what our approach here should be. My preference is still to allow | signals when p->uid==current->uid so long as !SECURE_NOROOT. Then as | people start using secure_noroot process trees they at least must know | what they're asking for.
I don't think there is anything special about root. I've been trying to advocate that we remove the *uid == 0 part of this check since we discussed it in November: As I said 11/29/07 [Re: [patch 31/55] file capabilities: don't prevent signaling setuid root programs]: | I actually said (11/26/07): |> >> Serge, |> >> |> >> I still feel a bit uneasy about this. Looking ahead, with filesystem |> >> capabilities, one can simulate this same situation with a setuid |> >> 'non-root' program as follows: |> >> |> >> [... example of simulating the same situation with setuid-non-root ...] |> >> |> >> Is there a compelling reason to include the euid==0 check? So, independent of whether SECURE_NOROOT is in effect or not, I think this particular line should simply read: ~ if (p->uid == current->uid) ~ return 0; | An alternative stance is to accept these things as they come up and try | to quickly work with the authors of such programs to work around it. I | suppose in a security sense that's the superior way :) But it also | seems likely to lead to most people choosing option 2 above and not | bothering to fix the problem. Cheers Andrew -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHuN1V+bHCR3gb8jsRAkqnAJ9o9j9KALm/LxWRoU9PGo9f7UWNYgCdGTQC Pm0daaJRMhWzcGSsTNgqj44= =EkD2 -----END PGP SIGNATURE----- - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
