>> I'm suggesting that fE be redefined as fM, an 'inheritable Mask', which
>> will drop inheritable bits in the process being exec'ed. The effect of
>> this is to cause certain (or all) inheritance to 'dead-end' during this
>> exec. When considering design of a secure distribution, I thought this
>> would be a useful feature.
>
> fE is basicly not fM, I think the formula should be:
> pI' = pI
> pP' = fP | ( fI & pI & pP)
> pE' = fE & pP'
No, this is bad. Consider an admin with the bits below. Normal users
on this system don't get any bits set, unlike the current default.
pI == 00000000fffffeff
pP == 0000000000000000
pE == 0000000000000000
The admin is only allowed to do his work via tools that leave an
audit trail, so his shell only has the above. The shell can't do
anything at all.
The /bin/mv executable has bits set in fI. Normal users should not
get any special rights when they run /bin/mv, but the admin should
gets a few capability bits in pP when running it.
For /bin/mv, the bits are:
fI == 00000000fffffeff
fP == 0000000000000000
fE == 0000000000000000
Your system would not give /bin/mv the capabilities it needs to have.
I think you were expecting that pP would contain something, and that
a normal user would have bits set in pI. These are bad assumptions.
In the "pP' = fP | (fI & pI)" expression you can see that the admin
gets power from the "(fI & pI)" part, while normal users can only get
power from the "fP" part. All of the admin's special rights are stored
in the pI value, since the other values do not even influence an exec().
> How exactly would you fit fE into the formulas that would improve these
> equations?
> If I understand you correctly you want
> pE' = (!fM) & pP'
> which gains you nothing. either way stuff dead-ends.
> I did kind of like someones idea for f_min
> so that if (f_min != (f_min&pE') then EPERM
> Used very sparingly f_min might be good.
> Without elf I beleive the defaults should be:
> fE=pP, fI=pI, fP=0, f_min=0
> in untrusted elf headers (not marked with suid or sticky or whatever):
> pI' = pI
> pP' = fI & pI & pP
> pE' = fE & pP'
No, we need a set of bits (I'll call it "pm") that are always added to pP.
The set would be 0 for maximum security or normal users, and ~0 for an
admin on a more normal system. This might be help kill off the ugly hack
in exec.c that pretends an executable has fI and fE full if UID 0 runs it.
new_pP = fP | (fI & old_pI) | old_pm;
if(new_pP & ~old_pM) return -EPERM; /* getting prohibited caps? */
if((new_pP & fm) != fm) return -EPERM; /* not enough? */
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/