Re: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited

From: Jesse Pollard (pollard@tomcat.admin.navo.hpc.mil)
Date: Wed Jun 14 2000 - 10:36:32 EST

Next message: Rogier Wolff: "Re: Semi up to date JOBS list"
Previous message: Steven_Snyder@3com.com: "2.2.16 SMP: "recvmsg bug: copied 0 seq XXXXXXX""
Next in thread: Pavel Machek: "Re: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited"
Reply: Pavel Machek: "Re: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--------- Received message begins Here ---------

>
> Hi!
>
> > pavel-velo@bug.ucw.cz:
> > > >> which spawned an entire OTHER
> > > >> argument on how that should be done. (ext2+caps,elfcap,et al)
> > > >
> > > >Yep. Capabilities in ext2 is just wrong. Using ELF is merely bad.
> > > >This is a UNIX clone you know; you can't make it into VMS.
> > >
> > > Why not? Elfcap is simple hack that does not break anything. Capabilities *are* usefull for simple tasks already. I do not know about VMS, but current system has practical uses.
> >
> > Elfcap is insecure, and permits the generation of trojan horses.
>
> Albert explained it vy nicely. You are wrong.
>
> > Until you are passed a trojan horse.
>
> When you are passed a trojan horse with setuid bit set -- well -- you
> are in exactly the same situation with elfcap. Just don't take trojan
> horses with setuid bit set from unknown peopel. That always was like
> this. Oh and you can do dump capabilities it will drop with simple
> utility, so you can see for yourself which capabilities it is going to

sure sure - and all installation software is modified to remove capabilities
when run. yeah right. In a pigs eye.

When I install software, I try to install it as non-root. This prevents
the normal creation of setuid binaries that I don't know about. The number
of binary only installation software is very large, since many vendors do
not want the installation procedure modified. Since I can't look at the
binaries before installation, I can only look at them afterward. elfcap
makes it necessary to examin every file (executable or not) to search for
trojan horses with improper capability assignments.

Using ext2 capablities, I only have to examine the inode of the file. All
privilige information is revealed. I don't have to READ each file as well.

No thanks. takes way to long, and is not reliable (compressed files, tar
files, compresed tar files, tar files of compressed files...).

Since tar is not required to know about capabilities restoring a tar file
will not create new ones, even if the original file had capabilities, the
copy won't.

NO ELFCAP. not secure, not reliable, not auditable.

-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rogier Wolff: "Re: Semi up to date JOBS list"
Previous message: Steven_Snyder@3com.com: "2.2.16 SMP: "recvmsg bug: copied 0 seq XXXXXXX""
Next in thread: Pavel Machek: "Re: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited"
Reply: Pavel Machek: "Re: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Jun 15 2000 - 21:00:31 EST