Re: suser/fsuser checks

From: Lachlan McIlroy (lachlanat_private)
Date: Tue Apr 09 2002 - 18:12:16 PDT

  • Next message: Chris Wright: "Re: suser/fsuser checks"

    Chris Wright wrote:
    
    > * Lachlan McIlroy (lachlanat_private) wrote:
    > 
    >>There are many calls to suser() in devices to check
    >>for superuser privilege but no LSM hook involved.
    >>According to the comment in sched.h the suser()/
    >>fsuser() routines will be removed but while they
    >>are still in use shouldn't we put a capable() call
    >>inside them?  We could create a generic capability
    >>for device management (ie CAP_DEV_MGT).
    >>
    >>Any suggestions/objections?
    >>
    > 
    > This is an outstanding kerneljanitor task.  I have seen patches floating
    > about that take suser/fsuser out of 2.5, but AFAIK more work needs to be
    > done.  I'd suggest focusing on removing them.
    > 
    > cheers,
    > -chris
    > 
    >>-- 
    >>Lachlan McIlroy
    >>
    >>_______________________________________________
    >>linux-security-module mailing list
    >>linux-security-moduleat_private
    >>http://mail.wirex.com/mailman/listinfo/linux-security-module
    >>
    > 
    > 
    
    Thanks for the info Chris, I'll have a look around for
    those patches and see what they do.  Ultimately, I would
    like to see all calls to suser() replaced with calls to
    capable().
    
    -- 
    Lachlan McIlroy				Tel: +61 3 8534 5531
    Trusted Linux				Fax: +61 3 9596 2960
    Adacel Technologies Ltd			      www.adacel.com
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 18:15:26 PDT