Re: [RFC] Giving capabilities to users and groups

Casey Schaufler (casey@sgi.com)
Thu, 16 Dec 1999 11:06:14 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David Hinds: "Re: Which are the latest PCMCIA drivers?"
Previous message: Jamie Lokier: "Re: [pcmcia] lost interrupt"

Martijn van Oosterhout wrote:
>
> I have an idea for a program which I would call scap (in
> the spirit of sg amd su). I'm mainly trying to work out
> if such a program exists already and if not, ideas on
> how it would work.

In Irix the su command has a -C option which allows a user to
request capabilities. We chose an option to su over a new command
because there are cases where you want to change both the uid
and the capabilities at the same time. Resonable restrictions
apply.

> I was thinking to have a file (maybe /etc/caps) that would
> look like the password file but explains what caps that user
> has. for example:
>
> root:SYSADMIN,NETRAW,etc...
> myuser:NETRAW...

In Irix we use /etc/capability. The format is:

<user>:<default-set>:<maximum-set>
casey:all=:all=eip

In this case casey (Hey! That's me!) has the highly recommended
empty set by default, but can request anything he (bwaa haa haa)
wants.

> These users could then use the scap program to get these
> capabilities when they need them. This could either be done
> by scap spawning a shell with the new capability or using
> CAP_SETPCAP to change the capabilities of its parent.

In Irix:

anchovy% su casey -C CAP_DAC_WRITE+eip
anchovy% id -P
uid=4020(casey) gid=10(nuucp) capability=(all= CAP_DAC_WRITE+eip)
anchovy% su casey -C all= -c "id -P"
uid=4020(casey) gid=10(nuucp) capability=(all=)
anchovy%

> Similarly, I'd like to be able to assign capabilities to groups.
> I still need to think of a good example.

Igg. I don't like the idea, but can't really counter it.

> I think I'd also want meta-capabilities. For example 'netmanager'
> which would have all the network related capabilities. Then you
> could say: addcap joe netmanager -- and they would have all the
> rights attached to that.

Capabilities don't map well to roles. We tried. On Irix we
have one role defined (the auditor) with a reasonable set,
but even something simple like adding a user requires quite
a lot of privilege (not necessarily capabilities, but you
do need to be able to modify root owned things).

The purist in me doesn't like the meta-capability notion because
it could inspire lazy granting of capabilities. If one knows that
netmanager is good enough, one might run with capabilities that
are included in netmanager even though they're not needed for the
job at hand. Example: the /etc/netgroup file can be changed without
CAP_PRIV_PORT.

Casey Schaufler voice: (650) 933-1634 casey@sgi.com fax: (650) 933-0170

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: David Hinds: "Re: Which are the latest PCMCIA drivers?"
Previous message: Jamie Lokier: "Re: [pcmcia] lost interrupt"