Re: Capabilities

From: John Prevost (prevost@maya.com)
Date: Sat Feb 19 2000 - 18:04:05 EST

Next message: Frank v Waveren: "encrypted filesystem and multitasking"
Previous message: Lawrence Manning: "Re: Eepro100 on 2.0.x and 2.2.x"
Next in thread: Pavel Machek: "Re: Capabilities"
Reply: Pavel Machek: "Re: Capabilities"
Reply: Ralf Baechle: "Re: Capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Theodore Y. Ts'o" <tytso@MIT.EDU> writes:

{...}
> But if we want to support the full capability model, then we
> can't take shortcuts like that. As I said earlier, it's very different
> from the Unix model, and I'm not so convinced that sysadmins will be
> able to deal with it correctly. If we're going to try to do
> capabilities, however, we might as well try to do them right.

As a sysadmin who's concerned about security, I think I can safely say
that it may take some time before the full use of capabilities is
realized--there's a lot of stuff that needs to be changed around
before everything on even a freshly installed system is set up right.
But--eventually, some Linux distro will have reasonable cap settings
from the start, and people will vet stuff on their own.

Having a way to be sure the kernel is enforcing this policy is much
better than trusting *any* programmer to do it right in their own
software. It's the old security kernel model--there's only one piece
of code you need to trust to be right--and that's the kernel
capability stuff. (Not small, but smaller than the entire universe of
software.) For some programs that might need extra capabilities and
then drop them (an FTP server which wants to set its uid, then drop
that capability when a user logs in) there's still a much smaller
worry when you only need to check that one possibility.

But I think most people realize that. :)

Pavel also mentioned that there's no way to prevent exec--I disagree
(though I haven't looked at the list of capabilities in Linux or
Posix, I'm afraid). Certainly, if you deny exec abilities you also
want to deny, at least, the ability to mmap files as executable, and
you also want to arrange that executable pages are never writable.

And most importantly, the big thing that exec could do that mmap can't
is get new capabilities by execing a setcap executable. (Sure, I can
mmap su into myself. So what? I can't actually do anything with it!)

John.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Frank v Waveren: "encrypted filesystem and multitasking"
Previous message: Lawrence Manning: "Re: Eepro100 on 2.0.x and 2.2.x"
Next in thread: Pavel Machek: "Re: Capabilities"
Reply: Pavel Machek: "Re: Capabilities"
Reply: Ralf Baechle: "Re: Capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Feb 23 2000 - 21:00:24 EST