Re: request: capabilities that allow users to drop privileges further

From: Felix von Leitner
Date: Tue Dec 16 2003 - 20:31:52 EST


Thus spake Chris Wright (chrisw@xxxxxxxx):
> > I would like to be able to drop capabilities that every normal user has,
> > so that network servers can limit the impact of possible future security
> > problems further. For example, I want my non-cgi web server to be able
> > to drop the capabilities to
> Using existing capabilities system you can limit many of these.

No. The administrator can limit many of these. I want the software to
be able to limit itself.

> Just dropping privs from uid = 0 to anything else is a good start.

If you give administrators tools to limit privileges, some well-educated
admins may do it, but the bulk will not.

If you give software authors the tools to drop privileges they don't
need, and you help everyone.

> > * execve
> mount fs noexec

Not an option for a web server or smtpd.

> > * ptrace
> drop CAP_SYS_PTRACE

That will still allow the process to ptrace other processes of the same
uid.

> > * write to the file system
> mount fs r/o.

Again, not an option.

I hope I made myself more clear this time.

I would be happy with a well documented and fine grained capabilities
system, and maybe a new syscall:

abstain(__NR_execve);

I would also like a way to say that I want to never access the network
except through sockets that are already open (and presumably passed to
me at process creation). Dan Bernstein has a good rationale on what I
think is needed: http://cr.yp.to/unix/disablenetwork.html, however I
think if we do this, we might as well opt for more flexibility.

Imagine being able to call "gzip -dc" in a pipe and denying it write
access to the file system, network I/O and other harmful operations.
If programs can restrict themselves, we could write email client
software that uses external untrusted plugins without fear of buffer
overflows or catching yourself a root kit.

Felix
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/