On Sat, 17 Apr 2010 23:40:01 +0200, Jonathan wrote about Re: [gentoo-user] How many ways are there for a user to increase their permissions?:
>On Sat, 17 Apr 2010 21:45:57 +0100 >David W Noon <dwn...@ntlworld.com> wrote: > >> In fact, POSIX capabilities are a mechanism to *reduce* a program's >> permissions, not increase them. > >It's true that Linux "capabilities" are used to replace SUID and that >does reduce the programs permissions. On the other hand programs like >Wine. Which no one would never run with SUID could be run with >CAP_NET_RAW. That would be a increase in permissions. Wine needs to be >able to ping because some program need to use IPX[1], Like Red Alert >2. Someone has made a patch for Red Alert 2 to use TCP/IP and I can >not think of another program off the top of my head. If any Joe Schmoe could imbue a program with capabilities, this might be true. But that's not the way the system works. Only root can run the setcap program to add capabilities to a program, at least on a normal, UNIX-style security system. On a role-based security system, even root might not be permitted to do this. >That information came from "man 7 capabilities". So I guess it's all >about how you look at it. > >[1] http://en.wikipedia.org/wiki/Internetwork_Packet_Exchange Unfortunately, I'm old enough to have used IPX/SPX networking in the days when Novell Netware (a.k.a. Slowvell Slugware) was considered a serious network system. -- Regards, Dave [RLU #314465] ====================================================================== dwn...@ntlworld.com (David W Noon) ======================================================================
signature.asc
Description: PGP signature
