Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Jan 2011 13:29:34 -0500
From: Michael Gilbert <>
Subject: Re: CVE-NONE kernel: PHONET signedness issue

On Thu, 6 Jan 2011 13:08:59 -0500, Dan Rosenberg wrote:
> This is a slippery slope.  I'm in favor of not having a CVE assigned
> for this issue.
> Otherwise, wouldn't we need a CVE for every vector that allows
> transitioning from various capabilities to root?  The capability
> system may be poorly designed to allow such transitions, but I don't
> think they represent unexpected behavior.

What's the point of a capabilities system if its equivalent to root
in the majority of cases anyway?  For file access/operations, there is
always sudo and the /etc/sudoers file for making it easy to access to
stuff thats accessed often without a password.  For port binding, the
capabilities system makes sense; and according to Brad Spengler's list,
those caps don't appear to be root equivalent so that could stay.
Otherwise, I don't see the point.

I'm not sure if there is a written security model for the capabilities
system, but this looks to me like it would be a violation of it.

Best wishes,

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.