From: Nadav Har'El (nyh_at_nonexisting.hamakor.org.il)
Date: Tue 31 Aug 2004 - 13:33:30 IDT
On Tue, Aug 31, 2004, Nadav Har'El wrote about "Re: I'm not the process you think I am":
> You can try doing this with Linux's little-known "capabilities" feature.
> This allows you to have any user id, but with some of root's capabilities,
> like binding any network address or writing any file (for example)
> magically turned on. For your protection, you can even enable some capabilties
> but not others.
On second thought, while it's easy to have a root (uid 0) owned process
with lesser privelges (useful for enhanced security), it's less clear how
to use the "capabilities" mechanism to elevate the capabilities of a non-
root process. capsetp (controlling another process) might not be allowed
on standard kernels; And setuid et al. might clear all the capabilities
while changing the uid :(
Please tell us if you find a solution.
-- Nadav Har'El | Tuesday, Aug 31 2004, 14 Elul 5764 nyh_at_math.technion.ac.il |----------------------------------------- Phone +972-523-790466, ICQ 13349191 |From the Linux getopt(3) manpage: "BUGS: http://nadav.harel.org.il |This manpage is confusing." ================================================================= To unsubscribe, send mail to linux-il-request_at_linux.org.il with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail linux-il-request_at_linux.org.il
This archive was generated by hypermail 2.1.7 : Tue 31 Aug 2004 - 13:47:09 IDT