Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[PATCH] 2.6.0-test6: Filesystem capabilities 0.15

1 view
Skip to first unread message

Olaf Dietsche

unread,
Oct 3, 2003, 8:10:14 PM10/3/03
to
This *untested* patch implements filesystem capabilities. It allows to
run privileged executables without the need for suid root.

Changes:
- updated to 2.6.0-test6
- added lscap to show fs caps for a particular file

This patch is available at:
<http://www.olafdietsche.de/linux/capability/>

Regards, Olaf.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Andy Lutomirski

unread,
Oct 4, 2003, 3:30:12 AM10/4/03
to
Olaf Dietsche wrote:

> This *untested* patch implements filesystem capabilities. It allows
> to run privileged executables without the need for suid root.
>
> Changes: - updated to 2.6.0-test6 - added lscap to show fs caps for a
> particular file
>
> This patch is available at:
> <http://www.olafdietsche.de/linux/capability/>
>

I have an alternate patch, implementing file capabilities using xattrs.
It also implements the
exec changes I proposed a few days back, but this time around it's a
config option. Note that
this patch is very non-intrusive. The user API is through setxattr and
friends, and the changes
to any filesystem to support this patch are minimal (add the
system.capabilities xattr and
validate its contents on setxattr).

The patch and user tools are at http://www.stanford.edu/~luto/linux-fscap/
(Apply the cap- patches in order. Patches are against 2.6.0-test6 vanilla.)

Olaf -- what do you think? (I like your CAP_SETFCAP addition -- I may
add it to my patch.
Currently anyone can chcap their own files, as long as they hold the
capabilities they want
to permit.)

Example:
$ su
# cp `which ping` myping
# chmod 755 myping
# chcap cap_net_raw+p myping
# exit
$ ./myping localhost

-- Andy Lutomirski

Olaf Dietsche

unread,
Oct 4, 2003, 6:50:09 PM10/4/03
to
Hi Andy,

Andy Lutomirski <lu...@stanford.edu> writes:

> I have an alternate patch, implementing file capabilities using
> xattrs.

[...]


> The patch and user tools are at http://www.stanford.edu/~luto/linux-fscap/
> (Apply the cap- patches in order. Patches are against 2.6.0-test6 vanilla.)

I glanced over it and it looks interesting. Thanks for this
alternative view.

> Olaf -- what do you think? (I like your CAP_SETFCAP addition -- I may
> add it to my patch.

This is not my invention. It is part of the POSIX standard, see
<http://wt.xpilot.org/publications/posix.1e/> and
<http://wt.xpilot.org/publications/posix.1e/download.html>

Regards, Olaf.

0 new messages