[NT ACLS] Using the security.* namespace for NTACL considered improper
idra at samba.org
Wed Jan 20 09:27:02 MST 2010
On Wed, 2010-01-20 at 17:00 +0100, Stefan (metze) Metzmacher wrote:
> Extended security attributes
> The security attribute namespace is used by kernel
> modules, such as Security Enhanced
> Linux. Read and write access permissions to security
> depend on the policy implemented
> for each security attribute by the security module. When
> security module is loaded, all pro‐
> cesses have read access to extended security attributes, and
> write access is limited to processes
> that have the CAP_SYS_ADMIN capability.
> CAP_SYS_ADMIN is only needed for writing not reading and that is the
> difference between security. and trusted.
Yes, every time we need to write the ACLs, at the moment, we need to use
become_root(), but we don't really need to be uid 0 to write. All we
need is to have CAP_SYS_ADMIN.
What I am saying is that unless retaining CAP_SYS_ADMIN has unintended
consequences in other parts of the code, we could get rid of the need to
call become_root() to write ACLs (or to read them if they were moved to
trusted.*, which won't happen at the moment).
become_root() comes with a cost and a risk, so removing it, where
possible looks like a very good idea.
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical