CAPs

[James Buster]

On Sep 30,  7:34pm, Robert Watson wrote:
} You may want to take a look at my capabilities-related post earlier this
} year, and also at the Linux implementation.  My main object to the
} POSIX.1e capabilities was that many of them seem equivilent when viewed in
} the context of UNIX.

I assure you they aren't. they are only "equivalent" if you are
maintaining the notion of a superuser.

} For example, the ability to read any file or write any file can give you
} control over the authentication system

The ability to read things gives you no control. Only the ability to
*write* authentication or audit data can do that. The read capabilities
are relatively harmless as far as capabilities go. Except for the case
of getting data like passwords, being able to read anything is not
especially interesting as far as being able to take control of a system
is concerned. What you really want is to be able to change authentication
data and hide the fact by altering audit data.

} However, the Linux people have defined a set of capabilities that are
} perhaps more useful in a traditional UNIX environment rather than one
} completely rewritten to be a trusted operating system.

The Linux people are 
	a) using an old draft of 1e
	b) unnecessarily conflating read and write privileges

} The real barrier to plain-old-bitwise capabilities is getting file system
} integration--as I understand it, this has held up the Linux folks.  I
} believe they have all the code in a kernel, but that Ext2fs doesn't have
} the meta-data available.

The kernel is completely missing inherited or permitted capability
vectors.

-- 
Planet Bog -- pools of toxic chemicals bubble under a choking
atomsphere of poisonous gases... but aside from that, it's not
much like Earth.
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message