[cap-talk] Don't put capabilities in argv?

Rob Meijer capibara at xs4all.nl
Sun Jul 13 03:39:09 CDT 2008


On Sun, July 13, 2008 07:30, Jasvir Nagra wrote:
> On Sat, Jul 12, 2008 at 8:21 PM, Darius Bacon <darius at accesscom.com>
> wrote:
>> Kevin Reid <kpreid at mac.com> wrote:
>>> * The simplest safe-by-default mechanism I can think of is to read the
>>> capability from a file whose name is passed on the command line.
>>
>> How about passing it in the environment?
>>
>>  arg1=secretpassword dosomething
>>
>> instead of
>>
>>  dosomething --arg1 secretpassword
>>
>> This has at least the flaw that environment variables have dynamic
>> scope; but the filesystem is a global scope as well.
>
> Unfortunately a process's environment is just as visible to other
> users as the command line arguments.

For least authority solutions, it is even a potential problem to be
readable by the 'same' user. In fact, the user is not all that relevant a
barrier.

Robolop



More information about the cap-talk mailing list