From: Muli Ben-Yehuda (mulix_at_nonexisting.hamakor.org.il)
Date: Tue 31 Aug 2004 - 13:57:46 IDT
On Tue, Aug 31, 2004 at 01:21:47PM +0300, Nadav Har'El wrote:
> You can try doing this with Linux's little-known "capabilities" feature.
> This allows you to have any user id, but with some of root's capabilities,
> like binding any network address or writing any file (for example)
> magically turned on. For your protection, you can even enable some capabilties
> but not others.
I'm well aware of capabilities, and it was working "as advertised", it
would've done the work. Unfortunately, it doesn't. The kernel support
is supposedly there, but the userspace tools are broken and have been
broken for a long time. See
http://www.uwsg.iu.edu/hypermail/linux/kernel/0404.0/0338.html for
example. Also AFAICR capabilities are not retained accross exec, which
is something I need.
Thanks,
Muli
-- Muli Ben-Yehuda http://www.mulix.org | http://mulix.livejournal.com/
=================================================================
To unsubscribe, send mail to linux-il-request_at_linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request_at_linux.org.il
This archive was generated by hypermail 2.1.7 : Tue 31 Aug 2004 - 14:09:50 IDT