[rsbac] Missing CAPs are not logged
Amon Ott
ao at rsbac.org
Fri Jan 21 09:13:43 CET 2005
On Donnerstag 20 Januar 2005 20:01, Andrea Pasquinucci wrote:
> On Thu, Jan 20, 2005 at 09:27:37AM +0100, Amon Ott wrote:
> * On each setuid and execute, the CAP module sets the given minimum
caps
> * and removes those not in the maximum set.
>
> Let me see if I understand correctly, the minimum capabilities are
added
> if the process does not have them (but usually caps_min is all 0)
and
> the maximum capabilities not in the set are removed if the process
have
> them (but usually caps_max is all 1), right ?
Right. If have also made this more clear in the CAP module description
at http://rsbac.org/documentation/models.php#cap
> * In softmode, the CAP module only enforces the minimum
>
> So it adds them even in softmode
Yes. In softmode you shall get the access you need, so you do get it.
> * but not the maximum values
>
> so it does not remove them (correctly for softmode!), but my
question is
> if in softmode it logs or not that it (rsbac) should have removed
the
> capability and did not, does it? From what you say next it seems
not,
> can it be added in case?
This is a very good idea. I will add an explicit warning for these
cases. Just put it into the v1.2.4 to-do list.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname : nicht verf?gbar
Dateityp : application/pgp-signature
Dateigr??e : 189 bytes
Beschreibung: nicht verf?gbar
URL : http://www.rsbac.org/pipermail/rsbac/attachments/20050121/1135c63e/attachment.bin
More information about the rsbac
mailing list