OpenVZ Forum


Home » Mailing lists » Devel » [PATCH 0/3] capabilities: per-process capbset
Re: [PATCH 0/3] capabilities: per-process capbset [message #21107 is a reply to message #21067] Mon, 01 October 2007 23:03 Go to previous messageGo to previous message
James Morris is currently offline  James Morris
Messages: 10
Registered: March 2006
Junior Member
 
On Mon, 1 Oct 2007, Serge E. Hallyn wrote:

> Here is a new per-process capability bounding set patchset
> which I expect to send to linux-kernel soon.  It makes
> the capbset per-process.  A process can only permanently
> remove bits from it's bounding set, not add them.  To
> remove bits, CAP_SYS_ADMIN is currently needed.  Maybe
> that's not the best choice, but some privilege should
> probably be required.

I'm not clear on why privilege would required for a process to remove 
capability bits from its set.  (Sure, if running setuid).

Doesn't that just make it more difficult to write safe applications ?


-- 
James Morris
<jmorris@namei.org>
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: [PATCH 0/5] Kernel memory accounting container (v4)
Next Topic: [PATCH] Uninline fork.c/exit.c
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Sun Aug 31 10:01:26 GMT 2025

Total time taken to generate the page: 0.10150 seconds
Powered by FUDforum Powered by Virtuozzo Containers