7 Dec
2023
7 Dec
'23
10:02 a.m.
I wasn't aware of this either. In seeing it, I immediately though of SELinux. I
found this oost, which states that they are different, but from the users point of view
accomplish exactly the same thing:
https://security.stackexchange.com/questions/10816/what-are-the-practical-d…
Which makes me wonder if we need both and what the path forward is.
As an aside, the ping example given isn't fully in alignment with my Fedora system.
My version of /bin/ping is not setuid root. However it behaves as described. Also, it
has an additional capability of admin.. So, the logic in section 2 for privileges must
not be correct, since the legacy setuid root bit is not set and the program is running
setuid root, apparently.
I'm still reading. Thanks for posting this.
But I seem to remember libcap as being a bad actor somehow: as in seeing it in error
messages. I just can't remember the context. I'm hazily recalling maybe version
issues.
-Gary
On Wed, Dec 06, 2023 at 01:53:28PM -0800, Brian E. Lavender wrote:
I did not know!
"Not needing root to administer Linux - the home of libcap"
https://sites.google.com/site/fullycapable/
I discovered this while investigating the source for
"C library for Broadcom BCM 2835"
http://www.airspayce.com/mikem/bcm2835/
--
Brian Lavender
http://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
_______________________________________________
Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com