Re: caps in elf, next itteration (the hack get's bigger)

Horst von Brand (vonbrand@inf.utfsm.cl)
Tue, 13 Apr 1999 11:13:58 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alan Cox: "Re: PROBLEM: MO mounting not working w/ 2.2.3+"
Previous message: Heinz Mauelshagen: "Static Swap"
Maybe in reply to: David L. Parsley: "caps in elf, next itteration (the hack get's bigger)"
Next in thread: Casey Schaufler: "Re: caps in elf, next itteration (the hack get's bigger)"

Richard Gooch <rgooch@atnf.csiro.au> said:
> Horst von Brand writes:
> > Richard Gooch <rgooch@atnf.csiro.au> said:

> > [...]

> > > This to me is one of the real blind-spots of some people who are
> > > pushing capabilities. There is absolutely no need to remove the
> > > privileges of the root account. By default root has all capabilities.

> > The whole idea of capabilities is to get rid of all-powerful users, to
> > split the root powers among several people where _nobody_ has all
> > powers. Any scheme that keeps a root of some sort is broken.

> Whoever can grant caps is in effect all-powerful.

There is _one_ program on the system which can do that, and that program is
heavily guarded, can be run (just group execute bit, immutable, ...) by
only a very select group of people (perhaps only if the kernel is in a
special "unsecure" mode), logs everything it does to a different machine
that is totally out of the hands of the granters.

Capabilities aren't attached to users, but to individual processes, so
there isn't a "whoever".

> > > Capabilities are a good thing, as they give more flexibility. But
> > > there simply is no need to cripple root.

> > Then give root all capabilities. "To cripple root", as you call it, is not
> > _needed_, but it is essential to be _able to do it_, else you can get just
> > a fraction of the security benefits out of this scheme.

> What exactly do you see as the benefits of a crippled root? Compare
> that with a system where there is no root account, but euid=0 means
> all caps to the kernel. What are the real benefits?

If I can somehow hijack a UID 0 process in your scheme, the system is mine
to keep. With real capabilities, I get nothing (or very little).

The above is terminal paranoia, to be sure. But capabilities and ACLs are
for people into that. Can be quite useful to us mere mortals too ;-)

-- Dr. Horst H. von Brand mailto:vonbrand@inf.utfsm.cl Departamento de Informatica Fono: +56 32 654431 Universidad Tecnica Federico Santa Maria +56 32 654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: PROBLEM: MO mounting not working w/ 2.2.3+"
Previous message: Heinz Mauelshagen: "Static Swap"
Maybe in reply to: David L. Parsley: "caps in elf, next itteration (the hack get's bigger)"
Next in thread: Casey Schaufler: "Re: caps in elf, next itteration (the hack get's bigger)"