[cap-talk] More Heresey: ACLs not inherently bad
Karp, Alan H
alan.karp at hp.com
Thu Oct 2 12:09:19 CDT 2008
Raoul Duke wrote on September 24:
>
> even in the ACL case, if setuid is used then it seems like if the
> compiler is only run with even the full permissions of the user, there
> is still some form of control going on (avoid running it as root/sudo
> etc.). is the point just that even with a setuid compiler it is too
> much power? but that seems relatively isomorphicish to me to the auto
> inferring and adding caps to the compiler even if limited by the
> user's capabilities. if the user has write access to the billing file
> they can over-write it either way, and if they don't they can't.
>
(Sorry for the late reply. I'm finally catching up from last week.)
The problem is that the compiler needs to exercise rights from two sources, the user's rights to read the input file and write the output file, and the compiler's right to update the billing file. If the compiler uses setuid to run as the user, it can't update billing file. If it runs as itself, it will clobber the billing file with the output.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list