In article <[EMAIL PROTECTED]>,
Marco d'Itri <[EMAIL PROTECTED]> wrote:
>On Nov 15, Miquel van Smoorenburg <[EMAIL PROTECTED]> wrote:
>
> >>Sorry: http://www.linux.it/~md/software/ssd.tgz .
> >
> >Should that go into /sbin/init itself, so that you can boot with
> >initcaps=eip,cap_setpcap+eip on t
On Sun, 16 Nov 2003, Marco d'Itri wrote:
> On Nov 15, Miquel van Smoorenburg <[EMAIL PROTECTED]> wrote:
> >too early to put that into init upstream ?
> I don't know. It was a quick hack I made because I wanted to play with
> capabilities. I suppose that there is a reason if whoever designed this
>
On Nov 15, Miquel van Smoorenburg <[EMAIL PROTECTED]> wrote:
>>Sorry: http://www.linux.it/~md/software/ssd.tgz .
>
>Should that go into /sbin/init itself, so that you can boot with
>initcaps=eip,cap_setpcap+eip on the command line ? Or is it still
>too early to put that into init upstream ?
I
On Sat, 15 Nov 2003, Miquel van Smoorenburg wrote:
> In article <[EMAIL PROTECTED]>,
> Marco d'Itri <[EMAIL PROTECTED]> wrote:
> >On Nov 15, Junichi Uekawa <[EMAIL PROTECTED]> wrote:
> >Sorry: http://www.linux.it/~md/software/ssd.tgz .
>
> Should that go into /sbin/init itself, so that you can bo
In article <[EMAIL PROTECTED]>,
Marco d'Itri <[EMAIL PROTECTED]> wrote:
>On Nov 15, Junichi Uekawa <[EMAIL PROTECTED]> wrote:
>
> >> >And if i enable SETPCAP for init, will init drop that capability? Will it
> >> >pass it to all started programs?
> >> See http://www.linux.it/~md/ssd.tgz .
> >> N
On Nov 15, Junichi Uekawa <[EMAIL PROTECTED]> wrote:
>> >And if i enable SETPCAP for init, will init drop that capability? Will it
>> >pass it to all started programs?
>> See http://www.linux.it/~md/ssd.tgz .
>> No kernel hacks needed.
>I see a 404.
Sorry: http://www.linux.it/~md/software/
> >And if i enable SETPCAP for init, will init drop that capability? Will it
> >pass it to all started programs?
> See http://www.linux.it/~md/ssd.tgz .
> No kernel hacks needed.
I see a 404.
regards,
junichi
On Nov 12, Bernd Eckenfels <[EMAIL PROTECTED]> wrote:
>And if i enable SETPCAP for init, will init drop that capability? Will it
>pass it to all started programs?
See http://www.linux.it/~md/ssd.tgz .
No kernel hacks needed.
--
ciao, |
Marco | [3024 laxXsj4w1O.aE]
On Wed, Nov 12, 2003 at 07:35:05AM -0700, Hans Fugal wrote:
> So yes, it is broken on purpose (because the real solution is not in
> place). No, it doesn't make capabilities useless, it just makes it
> impossible to use CAP_SETPCAP.
And if i enable SETPCAP for init, will init drop that capability?
* Francesco P. Lovergine [Wed, 12 Nov 2003 at 14:48 +0100]
> It has implication for libcap* packages too, doesn't it?
From libcap2's README.Debian:
This library should be used in conjunction with the kernel patches
from
http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2
* Francesco P. Lovergine [Wed, 12 Nov 2003 at 14:48 +0100]
> It has implication for libcap* packages too, doesn't it?
I would assume so.
--
Hans Fugal | De gustibus non disputandum est.
http://hans.fugal.net/ | Debian, vim, mutt, ruby, text, gpg
http://gdmxml.fugal.net/ |
* Daniel Jacobowitz [Tue, 11 Nov 2003 at 22:18 -0500]
> I would want considerably more information on the security implications
> of allowing CAP_SETPCAP than either of those documents provides, if I
> were you.
>
> The POSIX capability code is notoriously subtle and prone to anger.
Which is why
On Tue, Nov 11, 2003 at 07:11:47PM -0700, Hans Fugal wrote:
> In order to get realtime capabilities, jackd can be run with a suid
> wrapper (jackstart), instead of being run as root, if the following
> patch is applied to the kernel:
>
It has implication for libcap* packages too, doesn't it?
-
On Tue, Nov 11, 2003 at 07:11:47PM -0700, Hans Fugal wrote:
> In order to get realtime capabilities, jackd can be run with a suid
> wrapper (jackstart), instead of being run as root, if the following
> patch is applied to the kernel:
>
> --- capability.h.old2003-11-11 19:57:49.0 -0700
On Tue, Nov 11, 2003 at 07:11:47PM -0700, Hans Fugal wrote:
> -#define CAP_INIT_EFF_SETto_cap_t(~0&~CAP_TO_MASK(CAP_SETPCAP))
> -#define CAP_INIT_INH_SETto_cap_t(0)
> +#define CAP_INIT_EFF_SETto_cap_t(~0)
> +#define CAP_INIT_INH_SETto_cap_t(~0)
>
> Would it be inappropriate to crea
In order to get realtime capabilities, jackd can be run with a suid
wrapper (jackstart), instead of being run as root, if the following
patch is applied to the kernel:
--- capability.h.old2003-11-11 19:57:49.0 -0700
+++ capability.h2003-11-11 19:56:55.0 -0700
@@ -303,8
16 matches
Mail list logo
