Re: caps in elf, next itteration (the hack get's bigger)

David L. Parsley (kparse@salem.k12.va.us)
Thu, 15 Apr 1999 10:25:39 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Albert D. Cahalan: "Re: minimum capabilities?"
Previous message: David L. Parsley: "Re: caps in elf, next itteration (the hack get's bigger)"
In reply to: Chris Wedgwood: "Re: 2.0 a lot better than 2.2 on high-latency links."
Next in thread: Gerhard Mack: "Re: 2.0 a lot better than 2.2 on high-latency links."

Hello Andrej,

On Wed, 14 Apr 1999, Andrej Presern wrote:

[snip]
> >> You keep mentioning a 'true capabilities-based system' when you're realy
> >> discussing a mutilated capability LIST design.

Ah, ok... this is just a terminology issue. I'm not really familiar with
a 'true capabilities-based system', but I am familiar with how
'capability lists' are designed to work under Linux. What bothers me is
that the setuid-root scheme doesn't correctly implement capabilities, and
that correct semantics are being broken to work around limitations in the
design. So, when I've been saying 'true capabilities support' I've meant
'true support for capability lists as implemented in the Linux kernel'.
I'll probably continue to misuse the terminology, but I hope you
understand.

[snip]
> >Please expand, I'm not following.
>
> >From your writing it appears that you're assuming that the Linux kernel
> contains true capability support. Unfortunatelly, this is not so. The Linux
> kernel contains support for capability lists, which is a different concept than
> true (or pure) capabilities. Since most of the people refer to what is in the
> kernel as 'capabilities', the confusion is inherent as newcomers who have read
> about computer security get an impression that the kernel contains a powerful
> token (aka key/lock aka descriptor aka true (pure) capability) based security
> mechanism, when it really contains a fundamentally broken and abandoned (by the
> people who put it together) concept of POSIX privileges (aka capability lists).

I'm interested in why you think it's fundamentally broken. In the design
issues I'm considering, it seems at _worst_ to be much better than the
current root=all powerful model. I've already given one example of
securing named(8) with the capability lists support.

> As they say, the proof is in the pudding, so by all means, feel free to pursue
> your implementation. Using capability lists is usually the last mistake that
> people make when designing their security components, so I'd expect to have
> this topic brought up relatively soon again.

Well, I've got a bit of a learning curve ahead of me with kernel hacking;
if for some reason you don't think the Linux implementation of capability
lists will result in enormously improved security (when implemented and
used properly), then it would be nice to know why _now_.

cheers,
David

- --
David L. Parsley
Network Specialist
City of Salem Schools

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Albert D. Cahalan: "Re: minimum capabilities?"
Previous message: David L. Parsley: "Re: caps in elf, next itteration (the hack get's bigger)"
In reply to: Chris Wedgwood: "Re: 2.0 a lot better than 2.2 on high-latency links."
Next in thread: Gerhard Mack: "Re: 2.0 a lot better than 2.2 on high-latency links."