Re: [PATCH] capabilities done right

Alexander Kjeldaas (astor@fast.no)
Wed, 12 May 1999 10:37:44 +0200


On Tue, May 11, 1999 at 03:57:29PM +0200, Pavel Machek wrote:
> +Elf capabilities hack
> +=====================
> +
> +From now on, there's support for capabilities in elf executable. Elf
> +executable now may contain "capabilities header", telling which
> +capabilities should be dropped on exec. This can not hurt: lowering
> +capabilities is not priviledged operation, and executable could do it
> +itself at beggining of main.
> +
> +Doing it in exec() time has certain advantages, through: you can
> +easily look and what capabilities are in use by what program and you
> +can set capabilities for existing executables without need to
> +recompile.
> +
> +What can elfcap do:
> +
> +* mask inheritable, permitted and effective sets by arbitrary mask
> +
> +* set euid back to ruid
> +
> +Along with existing setuid mechanism, this hack can be used to grant
> +subset of capabilities to executables. For example currently ping has
> +to be setuid0. With elfcap, ping still will be setuid0, but most of
> +its capabilities will be dropped at exec() time, so breaking into ping
> +will allow attacker to generate arbitrary packets to network, but
> +nothing more.
> +

If you break ping in the above scheme, you could edit /etc/passwd and
gain access to the whole system. Capabilities doesn't gain you much
if you have to use UID 0.

astor

-- 
 Alexander Kjeldaas, Fast Search & Transfer, Trondheim, Norway

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/