[rsbac] AUTH capabilities

Pallai Roland rsbac@rsbac.org
Mon Nov 11 10:29:28 2002


 description of the AUTH capabilities said:
 " These are ranges of user IDs, which this program may use in a
CHANGE_OWNER (setuid) request. The capabilities are inherited to the
process running the program. "

 and why can't restrict seteuid() requests? cap_setuid capability in
this way same as cap_dac_override after seteuid(0)..  I know a solution,
but a big overhead to set and force restricted roles aganist seteuid(0)
for processes with cap_setuid and restricted AUTH capabilities.. much
easiest way would be to restrict seteuid() as setuid(), and entrust all
permission checking to linux DAC..

please send a CC to me,