[linux-elitists] Capabilities equivalent to root

Greg KH greg at kroah.com
Tue Jun 3 10:04:41 PDT 2014


On Tue, Jun 03, 2014 at 08:21:45AM -0700, Don Marti wrote:
> Remember this article about which Linux capabilities
> can be upgraded to full root access?
> 
>   False Boundaries and Arbitrary Code Execution
>   http://forums.grsecurity.net/viewtopic.php?f=7&t=2522
> 
>   Spengler: False Boundaries and Arbitrary Code Execution
>   https://lwn.net/Articles/421671/
> 
> Has anyone done an update?  Are all these capabilities
> still equivalent to root?

Pretty much yes, as we can't change existing functionality without
breaking things that are working properly.

There are proposals for how to fix up the capability mess, it just
requires someone to do all of the dirty work in implementing it.

Or use user namespaces, in a container, which should give you good
enough confinment to not need to worry about capabilities anymore.

greg k-h


More information about the linux-elitists mailing list