Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges
From: Eric W. Biederman
Date: Thu Dec 31 2009 - 13:33:21 EST
"Andrew G. Morgan" <morgan@xxxxxxxxxx> writes:
> Why not implement this as another securebit? So far as I can see the
> whole thing can be implemented in the capability LSM.
>
> What is less clear to me is whether per-process 'disabling of setuid
> bits on files' should force mandatory disabling of file capabilities.
> It seems as if disabling the transition of one luser to another luser
> through a setuid executable is something distinct from privilege
> escalation.
>
> Since there is already independent support for disabling file
> capabilities (the privilege escalation part), I see these two
> mechanisms as separable.
The goal is to disable privilege escalation.
The anatomy of the sendmail capabilities bug as I understand it was:
- unprivileged process took action to prevent gaining a capability.
- exec'd suid sendmail.
- sendmail took action as root because it could not become someone else.
I would like to trivially stop that entire class of exploit by making
execing a suid ( or equivalent ) executable impossible.
Once that hole is closed we can enable things like chroot without
privilege.
If there is a way to express this with capabilities today I would be
more than happy to.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/