| 1 |
On Sat, 17 Apr 2010 23:40:01 +0200, Jonathan wrote about Re: |
| 2 |
[gentoo-user] How many ways are there for a user to increase their |
| 3 |
permissions?: |
| 4 |
|
| 5 |
>On Sat, 17 Apr 2010 21:45:57 +0100 |
| 6 |
>David W Noon <dwnoon@××××××××.com> wrote: |
| 7 |
> |
| 8 |
>> In fact, POSIX capabilities are a mechanism to *reduce* a program's |
| 9 |
>> permissions, not increase them. |
| 10 |
> |
| 11 |
>It's true that Linux "capabilities" are used to replace SUID and that |
| 12 |
>does reduce the programs permissions. On the other hand programs like |
| 13 |
>Wine. Which no one would never run with SUID could be run with |
| 14 |
>CAP_NET_RAW. That would be a increase in permissions. Wine needs to be |
| 15 |
>able to ping because some program need to use IPX[1], Like Red Alert |
| 16 |
>2. Someone has made a patch for Red Alert 2 to use TCP/IP and I can |
| 17 |
>not think of another program off the top of my head. |
| 18 |
|
| 19 |
If any Joe Schmoe could imbue a program with capabilities, this might |
| 20 |
be true. But that's not the way the system works. |
| 21 |
|
| 22 |
Only root can run the setcap program to add capabilities to a program, |
| 23 |
at least on a normal, UNIX-style security system. On a role-based |
| 24 |
security system, even root might not be permitted to do this. |
| 25 |
|
| 26 |
>That information came from "man 7 capabilities". So I guess it's all |
| 27 |
>about how you look at it. |
| 28 |
> |
| 29 |
>[1] http://en.wikipedia.org/wiki/Internetwork_Packet_Exchange |
| 30 |
|
| 31 |
Unfortunately, I'm old enough to have used IPX/SPX networking in the |
| 32 |
days when Novell Netware (a.k.a. Slowvell Slugware) was considered a |
| 33 |
serious network system. |
| 34 |
-- |
| 35 |
Regards, |
| 36 |
|
| 37 |
Dave [RLU #314465] |
| 38 |
====================================================================== |
| 39 |
dwnoon@××××××××.com (David W Noon) |
| 40 |
====================================================================== |
Archives