[fpc-devel] Linux kernel behaviour change regarding keyboard
Daniël Mantione
daniel.mantione at freepascal.org
Wed Jul 18 20:45:12 CEST 2007
Op Wed, 18 Jul 2007, schreef Sergei Gorelkin:
> Jonas Maebe wrote:
> >
> > On 18 Jul 2007, at 14:08, Jonas Maebe wrote:
> >
> > > > Install the IDE setuid.
> > >
> > > That would be an extremely bad idea with the current stability record
> > > of the IDE.
> >
> > Not to mention that it allows you to open and overwrite any arbitrary
> > file.
> >
>
> Looking at that kernel patch, I see that it requires not uid=0, but rather
> certain caller's capability present.
> I don't have deep knowledge of the subject, but 'capability' sounds like
> 'privilege' (in Windows terms) for me. If it is so, then probably there is a
> way to solve the problem by assigning the required capability to IDE user(s)
> or process.
Yes, you need a certain capability, but in practise this means you must
be root. This is because:
* You can only drop a capability, not get a capability as a process.
* Root has all capabilities, users don't have any capabilities.
However, there is the SETPCAP capability, where a process can set the
capabilities of another process. So, a setuid helper program cuild assign
the needed capability if certain conditions are met. Unfortunately due to
a security hole SETPCAP has been revoked from even root. Without kernel
modification this possible solution is unfortunately sabotaged.
Daniël
More information about the fpc-devel
mailing list