[rsbac] AUTH capabilities
Pallai Roland
rsbac@rsbac.org
Mon Nov 11 10:29:28 2002
Hello,
description of the AUTH capabilities said:
" These are ranges of user IDs, which this program may use in a
CHANGE_OWNER (setuid) request. The capabilities are inherited to the
process running the program. "
and why can't restrict seteuid() requests? cap_setuid capability in
this way same as cap_dac_override after seteuid(0).. I know a solution,
but a big overhead to set and force restricted roles aganist seteuid(0)
for processes with cap_setuid and restricted AUTH capabilities.. much
easiest way would be to restrict seteuid() as setuid(), and entrust all
permission checking to linux DAC..
please send a CC to me,
--
DaP