Re: Capabilities done right [diff against 2.3.1]

Albert D. Cahalan (acahalan@cs.uml.edu)
Mon, 17 May 1999 19:56:11 -0400 (EDT)


John Wojtowicz writes:

>> You want to allow shellscripts with special powers?!?!?
>
> This is allowed by all other trusted operating systems. Why not
> trusted linux as well?

First, a definition. I'll use "privileged" to mean setuid, setgid,
capability enhanced, or any combination of the three.

An operating system can be behave in one of a few ways:

a. Allow privileged scripts, complete with MASSIVE SECURITY HOLE
b. Prohibit privileged scripts (like Linux does)
c. Substitute something like /proc/123/fd/3 for the script name

We can not just allow privileged scripts. (case "a")
I seem to recall option "c" being vetoed by the emperor penguin.
That leaves us with option "b". Privileged scripts are not allowed.

> And you're also forgetting about inheritable
> capabilities. What if an ELF program calls a shell script that in
> turn calls another ELF program. Do you just look at the privileges
> ON the file? No you have to check the inheritable privileges of
> the parent process as well.

This does not matter. Look:

shell does exec() to start the script
kernel looks at script
kernel starts interpreter with privileges (capabilities, setuid, etc.)
user plays with links, substituting an evil script
interpreter opens the evil script
the evil script runs
the evil script can do _everything_ the original script could do

> I know this principle of least privilege is NEW to linux, but
> it's a pretty well established technology. You would probably want to

I wouldn't say it is well established technology.

> leverage off of the concepts that other people and OSes have already
> built.
> Otherwise you dump a tried and true security model in preference of one
> whose rules you are making up as you go along.

Of course, assuming the normal model is tolerable. Security systems
are totally useless if people disable them to get their work done.
("disable" often means "never installed", not "cracked")

>> If so, you might as well start by allowing setuid shell scripts.
>> That was a massive security hole last I heard.
>
> I don't think you've quite got the idea of capabilities yet. If you
> did you wouldn't think that a shell script with capabilities is any
> worse or better than an ELF program with capabilities. In fact,

I don't think you've quite got the idea of scripts yet. You might as
well just put the privileges (capabilities, setuid, etc.) on the
interpreter, because attackers can substitute any script they like.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/