Re: posix capabilities inheritance

From: Andy Lutomirski
Date: Tue Oct 21 2003 - 13:25:14 EST


I agree with these problems, but I think the proper fix is complicated. AFAICT, POSIX capability evolution, as specified by whatever draft it was, is broken, so the hacks in prepare_binprm (cap_bprm_set_security in 2.6) are needed to avoid security problems. Aside from the fact that non-inheritable-by-default makes little sense (and requires root to get capabilities re-added from the file _permitted_ set), POSIX cap evolution has some other problems:

1. Can a process have capabilities in its inheritable set and not in its permitted set? POSIX allows such processes to be created (pI = pP = full, then execute (fI = 0, fP = 0). Nevertheless, its pP evolution rule assumes that this never happens (pI capabilities can reappear).

2. If a process has pE < pP (i.e. some caps disabled, e.g. uid=0, euid!=0), and exec's fE=full, then its capabilities get re-enabled. This seems like a pretty serious breakage of userspace.

I have a possible fix to these issues at <http://www.stanford.edu/~luto/linux-fscap/> -- CONFIG_FS_CAPS (in cap-1-fscap.patch) changes the capability evolution rules slightly to make them (IMHO) both safe and sensible, as well as removing the ugly hackage in set_security. This will allow your capabilities to persist through exec(). The second patch (cap-2-ext3.patch) adds file capabilities to ext3. Both are tested on 2.6.0-test6, and they apply with fuzz and compile (but not tested yet) on -test8. (These are different from my last attempt at this -- they are much closer to POSIX semantics.)

Unfortunately, I think it's too late to include these in 2.6.0.

Andy

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/