>>> * a Bounding Set that serves as a fail-safe mechanism
>>> to ensure users cannot acquire more privilege beyond
>>> what they have been authorized
>
> One of the critical things about the capability model is the movement
> away from having executables spontaneously acquire privilege by simply
> being invoked.
>
> This is one of the main problems with the historical suid model: a
> program gets all the power when it starts up. There are frequently
> new attacks on programs that exploit such a feature. Passing command
> line arguments that overflow a stack comes to mind...
I think that is terribly wrong.
1. overflow stack
2. run code to enable super power <-- duh
3. run code to do bad stuff
This looks far easier to bypass than the anti-exec patch,
which can be bypassed under just the right conditions.
For this, you don't even need to know the layout of the
executable, libraries, and loader.
> The recommendation is that before this is done, the application
> "authenticates" the requesting user and context of the request. This
> authenticaton can be as strong or as weak as the application sees fit
> -- from don't care, to please step up to the retinal scanner -- but by
> providing some distance between acquiring the potential for power and
> actually activating the power there is at least a window of
> opportunity to authenticate the request. The fundamental point being
> that authentication (firewalling if you like) is the only way to
> enforce a security model.
You should assume that most apps will be "don't care", even though
the admin might really care.
>> I perceieve the main benefit of this for users like "nobody";
>> with an empty bounding set the user really can be "unprivileged",
>> in the sense they can't try and exploit your SUID/privileged
>> programs to gain a root shell etc.
>
> The point you raise here about "nobody" getting some power, is
> an over generalization.. In some rare cases (contexts), it may
> be appropriate for the "nobody" user to exercise a capability.
So that _one_ can be in (outside?) nobody's bounding set.
> In these cases it is the "authentication" component of the
> application that needs to make this decision and because of
> the context, this is generally not something that can be
> reduced to a couple of bits in the file's attributes.
OK, but what about the bounding set on a user?
I suppose that would be "pB".
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu