On Mon, Dec 10, 2012 at 11:51 AM, Casey Schaufler <ca...@schaufler-ca.com> wrote: > On 12/10/2012 11:31 AM, Andy Lutomirski wrote: >> On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler >> <ca...@schaufler-ca.com> wrote: >>> On 12/10/2012 10:12 AM, Andy Lutomirski wrote: >>>> I think that the Windows approach is worth looking at. See here: >>>> >>>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa375202%28v=vs.85%29.aspx >>>> >>>> In the Windows model, each capability ("privilege") can be in one of >>>> three states: enabled (i.e working right now), >>> Effective >>> >>>> permitted (i.e. >>>> available upon request but not currently enabled), >>> Permitted >>> >>>> or removed >>>> (disallowed to this process and all of its children). >>> ~Inherited >> No. It's ~Inherited in a world where every binary has fI = everything. >> >>>> Permitted >>>> privileges are always inherited when a child process is created. >>>> >>>> This is *way* simpler than Linux's model, and it works just fine*. >>> I see a different set of complications, and Windows never had >>> a setuid bit to contend with. God created the universe in seven >>> days, but then, He didn't have an installed base. >>> >> What are those complications? > > I wish I had the time to go into the details, but I just can't.
Um. I'd like to solve what appears to me to be a problem. There's an existing design that, from my perspective, is overcomplicated and doesn't actually do what I want it to do. I'd really like to know what the current design *does* accomplish, since then I can make far more informed proposals for how to fix it. So far, I know of exactly nothing useful that's accomplished by the current design. It would be great if someone would enlighten me. > >> Also, I think we really could get rid of setuid without breaking >> anything with a bit of extra (non-capability-related) plumbing work. > > If RedHat or Ubuntu wanted to take a year off from everything else > they could create a setuid-root free system. It would probably be > easier for Android or ChromiumOS, as they provide more limited > environments. > > It's not "a bit of extra plumbing". I did it for a Unix system and > you'll have to change bunches of existing programs to make it work. > I'm not saying that the changes would be bad, but the sendmail > fiasco arose from just such an effort. You'll also have to train > the users that sudo no longer does them any good. In fact, you'll > be barraged with one question: > "How do I get to be Real root"? > That's not what I'm talking about. Write a daemon. Rig up wrappers for each setuid program to instead call into that daemon and have that daemon invoke the privileged program on behalf of the caller, with a sanitized environment. Be annoyed by a few items on the "linux plumber's wish list" that make this rather difficult right now. sudo would give real root, just like it does today. No setuid bit needed. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
