Re: sys_setpriority error

From: Chris Lundberg (clundberat_private)
Date: Thu May 31 2001 - 09:21:09 PDT

  • Next message: David Wagner: "Re: sys_setpriority error"

    On Thu, 31 May 2001, Casey Schaufler wrote:
    > Chris Wright wrote:
    > > The problem is that
    > > capabilities is fundamentally about overriding restrictions (at least that's
    > > my read of the P1003.1e draft).
    > This is correct. The Capabilities of P1003.1e are intended
    > to be explicit permissions to override system security policy.
    > They were designed with the goal of breaking up the Superuser.
    > They were also designed to provide clarity on what the base
    > P1003.1 spec meant when it said "appropriate privilege".
    > The capability specification reflects in many ways the
    > policy which can be gleaned from the P1003.1 spec, including
    > the list of required capabilities.
    But what if we want our security policy to be completely pervasive?  That
    is, what if root (or superuser, etc) should be explicitly denied from
    certain tasks?  Capabilities doesn't allow for this at all.
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu May 31 2001 - 09:22:26 PDT