linux-security-module November 2007 archive
Main Archive Page > Month Archives  > linux-security-module archives
linux-security-module: Re: [PATCH] 64bit capability support (leg

Re: [PATCH] 64bit capability support (legacy support fix)

From: Andrew Morton <akpm_at_nospam>
Date: Wed Nov 21 2007 - 22:17:33 GMT
To: "Serge E. Hallyn" <serue@us.ibm.com>


On Wed, 21 Nov 2007 11:10:51 -0600
"Serge E. Hallyn" <serue@us.ibm.com> wrote:

> Quoting Andrew Morton (akpm@linux-foundation.org):
> > On Sat, 17 Nov 2007 21:25:27 -0800 Andrew Morgan <morgan@kernel.org> wrote:
> >
> > > The attached patch (171282b3553fcec43b9ab615eb7daf6c2b494a87) applies
> > > against 2.6.24-rc2-mm1. It addresses the problem reported by Kevin and
> > > Andy - ultimately, the legacy support wasn't transparent. In particular,
> > > userspace 32-bit capability manipulations (when run by root) that used
> > > to work, without this patch, fail.
> >
> > My venerable FC1 machine says
> >
> > warning: process `zsh' gets w/ old libcap
> > warning: process `zsh' gets w/ old libcap
> > warning: process `zsh' gets w/ old libcap
> >
> > should I be scared?
>
> It should be safe as of Andrew's latest patch. (Before that patch it
> was only unsafe because root's capabilities are just set to {~0,~0} so
> they include invalid capabilities.
>
> Agreed a better error message would be good.

yup

> Would it be inappropriate
> to include the URL for new libcap versions?

I doubt it, really. Anyone who's running anything as old as FC1 won't be upgrading (and probably couldn't find a package to upgrade to).

Or does "old libcap" here refer to all the versions whcih are deployed today? If so then we should jsut kill the message. ot at least make it a once-per-boot thing.

-
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html