(was: Re: PATCH: cdrecord: avoiding scsi device numbering for idedevices)

From: John Myers
Date: Tue Aug 31 2004 - 17:31:48 EST

Next message: Spam: "Re: silent semantic changes in reiser4 (brief attempt to document the idea of what reiser4 wants to do with metafiles and why"
Previous message: Harry Edmon: "Re[4]: PROBLEM: page allocation or what in 2.6.8.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Christer Weinigel wrote:

Pascal Schmidt <der.eremit@xxxxxxxx> writes:

[...] if I have write permisson to a CD burner, being able to
burn a coaster by issuing strange commands is something I expect.
Being able to destroy the firmware of the drive is not something I
expect a normal user to be able to do.

There are at least three conflicting goals here:

1. Only someone with CAP_SYS_RAWIO (i.e. root) should be able to do
possible destructive things to a device, and only root should be
able to bypass the normal security checks in the kernel (e.g. get
access to /dev/mem since access to it means that you can read and
modify internal kernel structures).

2. A Linux system should have as few suid root binaries as possible.

3. A normal user should be able to perform most tasks without needing
root.

I hope this is not a stupid idea:

I propose a finer-grained approach to suid-root binaries. Perhaps, instead of having a single flag giving the binary all the rights and responsibilities of its owner, there could be a table/list/something of capabilities which we want to grant to the binary. This, of course, would be a privileged operation (perhaps a new capability?).

For example, we might want to grant cdrecord CAP_SYS_RAWIO. This way, we don't have to worry about cdrecord running as root and not dropping all the capabilities it doesn't need, by accident or by malice.

Further, and I realize that this would probably require major restructuring, perhaps there could be another field: for each capability we want to grant, a method to specify _where_ the binary can use that capability.

To extend the previous example: we might want to give cdrecord CAP_SYS_RAWIO just on, say, /dev/burner0 and /dev/burner1, but not /dev/hda. That way, some typo won't have us trying to burn cds with our hard disks.

Again, I hope it's not a stupid idea. I don't have a working implementation, and I'm not even sure if it's even possible, but it's a thought.
--
electronerd (jonathan s myers)
code poet and recycle bin monitor
programmer, monolith3d.com

Attachment: signature.asc
Description: OpenPGP digital signature

Next message: Spam: "Re: silent semantic changes in reiser4 (brief attempt to document the idea of what reiser4 wants to do with metafiles and why"
Previous message: Harry Edmon: "Re[4]: PROBLEM: page allocation or what in 2.6.8.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]