CAPs

[Andrew Morgan]

There is setting your own capabilities (having CAP_xxx in your permitted
set) and there is setting another process' capabilities (having an
effective CAP_SETPCAP). It is the latter that is the abomination. The
cap_set_proc() function is the 'POSIX' one and its fine - I would
believe that IRIX supports this. The bit I'm warning against is the back
end to this libcap function which is the Linux capset() system call
which does include support for the CAP_SETPCAP stuff.

CAP_SETPCAP introduces a 'hand of god' capability manipulation method
and is about as orthogonal to the spirit of the POSIX draft as one can
get. Not to mention the fact that its really tricky to inform a process
it just got a new capability, it requires a daemon and some interprocess
communication to do without pretty obvious race conditions (which brings
up an authentication issue) and one should pause for thought when you
consider how to verify/audit that its being used correctly on a running
system.

Cheers

Andrew

James Buster wrote:
> 
> On Nov 5,  9:13am, Andrew Morgan wrote:
> } Actually, this is an abomination that was forced on me, kicking and
> } screaming. Its a capability that is basically so hard to use safely it
> } is dangerous.
> 
> IRIX has this, btw. It is very necessary. How else do you set a user's
> initial capability state when they log in, for example?
> 
> --
> Planet Bog -- pools of toxic chemicals bubble under a choking
> atomsphere of poisonous gases... but aside from that, it's not
> much like Earth.
> To Unsubscribe: send mail to majordomo at cyrus.watson.org
> with "unsubscribe posix1e" in the body of the message
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message