Re: Capabilities under Linux

Y2K (y2k@y2ker.com)
Tue, 20 Apr 1999 22:05:53 -0700 (PDT)


On Tue, 20 Apr 1999, Horst von Brand wrote:
> Y2K <y2k@y2ker.com> said:
> > The current elf_header solution does not grant *any* privledges just is
> > used to revoke them. elf_headers should never be used to grant privledges
> > that we can agree on.
> How can it be of any use then? You _still_ have an omnipotent root account
> that can be broken into, or whose processes can be hijacked? Capabilities
> aren't about "taking away", they are abount granting specific rights.
You may still have a tiny bit more powerful root for awhile, that is
controled by the securebits. Right now it appears to me to be a global. I
am hashing around some ideas about making it a per-process thingie. Right
now the patch I have out there(heavily based on pavel's) uses elf_header
to *only* reduce. Right now there is only *one* way to gain caps a
suid-root binary if securebits is set in backwards-compatible mode
{issecure(SECURE_NOROOT) is false} besides what init is initialy granted.
With the elf_headers you can cause this compatible behavior to be less
empowering-- I think it complements the legacy behavior quite well.
This is needed for backwards compatibility. Also with my patch you can
have root running processes that don't regain a bunch of caps in the
children when you exec as the current one seems to. It corrects other
things I saw as defects. Please do take a look at the patch and crititize
and bitch about it. I think that suid-root for legacy and later ext3
attributes should be the only ways to raise capabilities.
root should always be special at least for legacy purposes. We can at
least weaken it a lot.
Right now root is no longer omnipotent.
A *huge* read big problem though is that the *only* legacy way to lose
caps through syscalls is to lose both ruid being 0 and euid being 0 . So
if you aren't either it is hard for you to lose caps through legacy ways.
And legacy apps might not even know that they have them.
Those are the hard problems IMHO.
So any way we can add to lose caps the better.
> OK, if the status of the "capabilities in ELF" suggestion is that it only
> takes away rights, the case is definitely closed for me.
Yes it only removes. I just need to add ECF_DISEMPOWER_ROOT so that suid
root doesn't add its legacy empowerment even in compatibility mode if
thats unwanted. Hopefully I'll have that later tommorow.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/