login
Login
/
Register
Search
Search this site:
Forums
News
Blogs
Features
Site
Home
»
Mailing list archives
»
linux-kernel
»
2008
»
May
»
28
Re: [PATCH] sysctl: permission check based on capability not euid
view
thread
Previous message: [
thread
] [
date
] [
author
]
Next message: [thread] [
date
] [
author
]
[view in full thread]
From: Chris Wright
Subject:
Re: [PATCH] sysctl: permission check based on capability not euid
Date: Wednesday, May 28, 2008 - 1:14 pm
* Stephen Hemminger (
stephen.hemminger@vyatta.com
) wrote:
quoted text
> This patch modifies the permission checks for sysctl's from being based on uid=0 (root) > to use the capability system. This matches the behavior of other OS's using sysctl's > and capabilities. Linux has tried to get away from using uid=0 for security overrides > and use capabilities instead. > > I was working on Quagga enhancement that involved enabling a sysctl, and it didn't > work because is a safe daemon and drops privileges and resets its real/effective uid > after initialization; it then re-enables only the capabilities when it needs to > do some privileged operation. This wouldn't work because sysctl's were still using > the root based permission check. The existing code in quagga to enable ip forwarding > doesn't work for the same reason.
I don't think CAP_SYS_ADMIN makes sense for net.*, for example. --
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to
majordomo@vger.kernel.org
More majordomo info at
http://vger.kernel.org/majordomo-info.html
Please read the FAQ at
http://www.tux.org/lkml/
Previous message: [
thread
] [
date
] [
author
]
Next message: [thread] [
date
] [
author
]
Messages in current thread:
[PATCH] sysctl: permission check based on capability not euid
, Stephen Hemminger
, (Wed May 28, 12:12 pm)
Re: [PATCH] sysctl: permission check based on capability n ...
, Chris Wright
, (Wed May 28, 1:14 pm)
Navigation
Mailing list archives
Recent posts
Popular discussions
linux-kernel
:
Michael Trimarchi
Re: [PATCH] VFS: make file->f_pos access atomic on 32bit arch
Miklos Szeredi
[patch 14/15] vfs: more path_permission() conversions
Serge E. Hallyn
Re: [RFC v5][PATCH 7/8] Infrastructure for shared objects
Bernd Schmidt
Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Takashi Iwai
[PATCH 2/2] input: Add LED support to Synaptics device
git
:
Junio C Hamano
Re: mingw, windows, crlf/lf, and git
Eyvind Bernhardsen
Re: Where has "git ls-remote" reference pattern matching gone?
Shawn O. Pearce
Re: Switching from CVS to GIT
Todd Zullinger
Re: [PATCH 2/2] send-email: rfc2047-quote subject lines with non-ascii characters
Santi Béjar
Re: How to use git-fmt-merge-msg?
linux-netdev
:
Ramkrishna Vepa
[net-2.6 PATCH 1/10] Neterion: New driver: Driver help file
Mark Anthony
invitation / inquiry
Ingo Molnar
Re: [PATCH 08/16] dma-debug: add core checking functions
David Miller
Re: [PATCH 1/3] f_phonet: dev_kfree_skb instead of dev_kfree_skb_any in TX callback
Sascha Hauer
[PATCH 03/12] fec: do not typedef struct types
git-commits-head
:
Linux Kernel Mailing List
amba: struct device - replace bus_id with dev_name(), dev_set_name()
Linux Kernel Mailing List
MIPS: Yosemite: Convert SMP startup lock to arch spinlock.
Linux Kernel Mailing List
ARM: S5PC100: IRQ and timer
Linux Kernel Mailing List
davinci: edma: clear interrupt status for interrupt enabled channels only
Linux Kernel Mailing List
x86, mm, kprobes: fault.c, simplify notify_page_fault()
openbsd-misc
:
Daniel A. Ramaley
Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?
Matthias Kilian
Re: can't get vesa @ 1280x800 or nv
Tobias Ulmer
Re: Problem after upgrade 4.5 to 4.6: ERR M
Philip Guenther
Re: SIGCHLD and libpthread.so
J.C. Roberts
Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?
Colocation donated by:
Syndicate
