On Mon, Feb 23, 2015 at 10:44:32AM -0600, Christoph Lameter wrote: > On Mon, 23 Feb 2015, Serge Hallyn wrote: > > > The core concern for amorgan is that an unprivileged user not be > > able to cause a privileged program to run in a way that it fails to > > drop privilege before running unprivileged-user-provided code. > > I do not see a problem with dropping privilege since the ambient set > is supposed to be preserved across a drop of priviledge. Because you're tricking the program into thinking it has dropped the privilege, when in fact it has not. > > Since your desire is precisely for a mode where dropping privilege > > works as usual, but exec then re-gains some or all of that privilege, > > I would say that the ambient set stays active even if the setuid binary > drops to regular perms. > > > we need to either agree on a way to enter that mode that ordinary > > use caes can't be tricked into using, or find a way for legacy > > users to be tpiped off as to what's going on (without having to be > > re-written) > > Well if the ambient set is completely separate then the existing > semantics are preserved while the ambient set stays active as intended. > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html