I just noticed that the kernel executes "modprobe" with _all_ capabilities
raised.
This might cause headache in the future, when we can run without a root
user (and/or ban certain capabilities from ANYONE on the system), because
1) The user owning the "modprobe" binary will be able to take over the
system
2) The modprobe binary itself must be secure - it is fully trusted.
3) Probably worse, /proc may be used to change the location where we try
and execute modprobe. Another pesky /proc backdoor. /proc is a big window
into the kernel. In a secure setup, very careful thought needs to be given
to what user owns /proc files and indeed if some need disabling altogther.
4) CAP_SETUID now is equivalent to all capabilities - switch to the user
that either owns /proc/sys/kernel/modprobe, or /sbin/modprobe itself.
5) Likewise, CAP_CHOWN, CAP_FOWNER, CAP_DAC_OVERRIDE (unless CAP_IMMUTABLE
is in play). The less orthogonal sets of privileges the less use
capabilities are.
Chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/