Re: [RFC] Capabilities still can't be inherited by normal programs

[Andy Lutomirski]

On Mon, Dec 10, 2012 at 11:51 AM, Casey Schaufler
<casey@xxxxxxxxxxxxxxxx> wrote:
> On 12/10/2012 11:31 AM, Andy Lutomirski wrote:
>> On Mon, Dec 10, 2012 at 11:13 AM, Casey Schaufler
>> <casey@xxxxxxxxxxxxxxxx> wrote:
>>> On 12/10/2012 10:12 AM, Andy Lutomirski wrote:
>>>> I think that the Windows approach is worth looking at.  See here:
>>>>
>>>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa375202%28v=vs.85%29.aspx
>>>>
>>>> In the Windows model, each capability ("privilege") can be in one of
>>>> three states: enabled (i.e working right now),
>>> Effective
>>>
>>>>  permitted (i.e.
>>>> available upon request but not currently enabled),
>>> Permitted
>>>
>>>> or removed
>>>> (disallowed to this process and all of its children).
>>> ~Inherited
>> No.  It's ~Inherited in a world where every binary has fI = everything.
>>
>>>> Permitted
>>>> privileges are always inherited when a child process is created.
>>>>
>>>> This is *way* simpler than Linux's model, and it works just fine*.
>>> I see a different set of complications, and Windows never had
>>> a setuid bit to contend with. God created the universe in seven
>>> days, but then, He didn't have an installed base.
>>>
>> What are those complications?
>
> I wish I had the time to go into the details, but I just can't.

Um.

I'd like to solve what appears to me to be a problem.  There's an
existing design that, from my perspective, is overcomplicated and
doesn't actually do what I want it to do.  I'd really like to know
what the current design *does* accomplish, since then I can make far
more informed proposals for how to fix it.

So far, I know of exactly nothing useful that's accomplished by the
current design.  It would be great if someone would enlighten me.

>
>> Also, I think we really could get rid of setuid without breaking
>> anything with a bit of extra (non-capability-related) plumbing work.
>
> If RedHat or Ubuntu wanted to take a year off from everything else
> they could create a setuid-root free system. It would probably be
> easier for Android or ChromiumOS, as they provide more limited
> environments.
>
> It's not "a bit of extra plumbing". I did it for a Unix system and
> you'll have to change bunches of existing programs to make it work.
> I'm not saying that the changes would be bad, but the sendmail
> fiasco arose from just such an effort. You'll also have to train
> the users that sudo no longer does them any good. In fact, you'll
> be barraged with one question:
>         "How do I get to be Real root"?
>

That's not what I'm talking about.

Write a daemon.  Rig up wrappers for each setuid program to instead
call into that daemon and have that daemon invoke the privileged
program on behalf of the caller, with a sanitized environment.  Be
annoyed by a few items on the "linux plumber's wish list" that make
this rather difficult right now.

sudo would give real root, just like it does today.  No setuid bit needed.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/