re: [vserver] pam_capability module

About this list Date view Thread view Subject view Author view Attachment view

From: Jacques Gelinas (
Date: Mon Apr 08 2002 - 23:42:20 EDT

On Mon, 8 Apr 2002 13:07:22 -0500, Nick Craig-Wood wrote
> I thought you guys might be interested in this in that it playing with
> similar parts of the kernel to vserver :-
> Which is a module implementing capabilities for users via PAM.

The capability system is incomplete in linux 2.2 and 2.4. The big missing
part is the ability to tag capability to application like we can tag the setuid bit.
The flaw with setuid bit is that a buggy setuid root program can give away
the control over the system.

This patch offers a way around. Giving some capability to users so you need
less setuid programs ou capability enhanced programs. At least this is what
I understand.

The major flaw with capability is this is an all or nothing. You can't qualify the
capability. For exemple, it would be nice to grant CAP_DAC_OVERRIDE
to a co-administrator, but only on one area of the file system (This allow
him to override the normal file access rights).

Capabilities are cool for the vserver because this is indeed a all and nothing
deal. We do not want vserver administrator to do some operations at all.

I suspect that in the long run, stuff like the LSM + selinux will rule. Note
that there is nothing incompatible with vservers. LSM + selinux is used to
delegate some ability to some users if they are follwoing some access
pattern (they logged from some services and then do that and that).

One goal of the capability system is to stop giving away root completly
whenever someone needs to perform something privileged. Unfortunatly
this is difficult to give fine control. For exemple, I would like to have this
users in charge of the web server. I don't want him to be root, ever. Yet
he must be able to start the service. And the service needs a way to
bind to port 80 (only root can do that, or you need a special capability).
If you use a capability, then you allow this user to bind any service with
a port below 1024, which is not exactly what you want.

I suspect this explains why the capability system has been almost complete
for so long.

plug mode:

I have designed a package called aclfsd as part of the virtualfs project. aclfsd
provide a very fine grain access to file system and network resources. Using
ACL, you can tell who can bind to which port for example. Wonder if this
has a future...

Jacques Gelinas <>
vserver: run general purpose virtual servers on one box, full speed!

About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:01 EDT