On Sat, Nov 15, 2014 at 06:35:05PM -0800, Josh Triplett wrote: > >So arbitrarily anyone to drop groups from their supplemental group > >list will result in a change from both existing practice and legacy > >Unix systems, and it could potentially lead to a security exposure. > > As Andy pointed out, you can already do that with a user namespace, > for any case not involving a setuid or setgid (or otherwise > privilege-gaining) program. And requiring no_new_privs handles > that. Well, it's no worse than what we can do already with the user namespace, yes. I'm still worried it's going to come as a surprise for some configurations because it's a change from what was allowed historically. Then again, pretty much all of the tripwire and rootkit scanners won't notice a "setuid" program that uses capabilities instead of the traditional setuid bit, and most sysadmins won't think to check for an executable with a forced capability mask, so this isn't exactly a new problem.... - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
