linux-security-module November 2007 archive
Main Archive Page > Month Archives  > linux-security-module archives
linux-security-module: Re: [PATCH] 64bit capability support (leg

Re: [PATCH] 64bit capability support (legacy support fix)

From: Kevin Winchester <kjwinchester_at_nospam>
Date: Wed Nov 21 2007 - 23:16:28 GMT
To: Andrew Morton <akpm@linux-foundation.org>


Andrew Morton wrote:
> On Wed, 21 Nov 2007 11:10:51 -0600
> "Serge E. Hallyn" <serue@us.ibm.com> wrote:
>
>> Quoting Andrew Morton (akpm@linux-foundation.org): >>> On Sat, 17 Nov 2007 21:25:27 -0800 Andrew Morgan <morgan@kernel.org> wrote: >>> >>>> The attached patch (171282b3553fcec43b9ab615eb7daf6c2b494a87) applies >>>> against 2.6.24-rc2-mm1. It addresses the problem reported by Kevin and >>>> Andy - ultimately, the legacy support wasn't transparent. In particular, >>>> userspace 32-bit capability manipulations (when run by root) that used >>>> to work, without this patch, fail. >>> My venerable FC1 machine says >>> >>> warning: process `zsh' gets w/ old libcap >>> warning: process `zsh' gets w/ old libcap >>> warning: process `zsh' gets w/ old libcap >>> >>> should I be scared? >> It should be safe as of Andrew's latest patch. (Before that patch it >> was only unsafe because root's capabilities are just set to {~0,~0} so >> they include invalid capabilities. >> >> Agreed a better error message would be good.
>
> yup
>
>> Would it be inappropriate >> to include the URL for new libcap versions?
>
> I doubt it, really. Anyone who's running anything as old as FC1 won't be
> upgrading (and probably couldn't find a package to upgrade to).
>
> Or does "old libcap" here refer to all the versions whcih are deployed
> today? If so then we should jsut kill the message. ot at least make it a
> once-per-boot thing.
>
>

I am running Ubuntu gutsy, so it's about a month or two old. I think "old" means libcap 1.x and not old is libcap 2.x (I can't even find a web page for libcap 2.x, but the 64-bit capability patch indicates that it supports the new capabilities version). -- Kevin Winchester - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html