Re: Filesystem Capabilities in 2.6?

From: Jan Harkes (jaharkes@cs.cmu.edu)
Date: Fri Nov 01 2002 - 18:25:55 EST


On Fri, Nov 01, 2002 at 11:07:59PM +0100, Olaf Dietsche wrote:
> > Unfortunately Alexander has spoken again:
> >
> > http://marc.theaimsgroup.com/?l=linux-kernel&m=103498212701476&w=4
>
> Well, this was his first histerical response. In the meantime, all his
> points have been addressed. I haven't heard of new objections, did you?

I have several comments.

Where are the capabilities stored? In a file called .capability in the
root of the filesystem? Why would that root be writable, my current Coda
development tree has a read-only top-level directory in which different
realms can be dynamically mounted (similar to autofs).

How would I remove a capability from a vulnerable binary on readonly
media (i.e. cdrom), while still allowing other applications on the same
disk to run with special caps.

Right now an administrator can simply search for all setuid binaries to
check for possible 'unwanted priviledge elevations'. With the proposed
capabilities seemingly ordinary applications could suddenly have special
powers. Also when I explicitly drop capabilities secure a system, these
fs-caps could very well reintroduce a capability that were not in the
permitted set of any of the running processes.

It is probably better to remove than to add capabilities. As everyone
knows a setuid app is 'dangerous' use this code to remove some of the
power that normally is associated with setuid. I.e. when the setuid bit
is set for a specific application don't change euid to root, but still
give the power to bind to priviledged ports.

In the end I believe capabilities (like setuid) should be a local
decision. Yes, I'm looking at this from the viewpoint of a distributed
network filesystem that crosses administrative boundaries, and as such I
don't always trust whatever is stored in a mounted volume.

Why not modify a program like sudo or super that can give capabilities
to processes based on local rules and configuration... Ok there already
is a programs that does something like this which is called 'whichcap'.

Another solution is to have a trusted daemon that is the only process
in the system with the capability to grant capabilities to other
proceses. Other processes can send a request to this daemon, which can
consult local rules, double check md5 checksum or whatever paranoia is
needed before it actually does a setcap.

Jan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Thu Nov 07 2002 - 22:00:22 EST