On Wed, Feb 4, 2015 at 1:57 PM, Christoph Lameter <c...@linux.com> wrote: > On Wed, 4 Feb 2015, Andy Lutomirski wrote: > >> But someone will want to run *bash* as an untrusted user with, say, >> CAP_NET_BIND permitted and ambient. Then that user has a non-empty >> ambient set, and they can run a setuid-root program, and who knows >> what will go wrong? Requiring no_new_privs would prevent this type of >> failure entirely. >> >> If we need to relax that later, it's easy, I think. The rule's not >> that convoluted, and there's precedent for having new fancy features >> require setting no_new_privs first. > > It would make the patch pointless. The case of having to run a setuid root > prpgrams from a shell that has the caps enabled is a routine thing for > testing etc. >
That's unfortunate. In that case, we need to figure out what happens when you run such a setuid root program. I think the answer should be that pA gets cleared, and that pA also gets cleared if you run a program that has file caps. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
