Re: Caps in elf: discussion stopper [was Re: caps in elf headers:

Y2K (y2k@y2ker.com)
Wed, 21 Apr 1999 14:02:18 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Albert D. Cahalan: "Re: Caps in elf: discussion stopper [was Re: caps in elf headers: use the sticky bit!]"
Previous message: Y2K: "Re: inheritable set [was Re: caps in elf headers: use the sticky"
In reply to: tytso@mit.edu: "Re: Caps in elf: discussion stopper [was Re: caps in elf headers: use the sticky bit!]"
Next in thread: Albert D. Cahalan: "Re: Caps in elf: discussion stopper [was Re: caps in elf headers: use the sticky bit!]"

On Wed, 21 Apr 1999 tytso@mit.edu wrote:
> However, an obvious question to ask at this point is why do it by
> hacking the ELF header? It's probably much simpler to have the
> executable explicitly drop capabilities by making an appropriate system
> call in the executable itself. This has the advantage that the kernel
> doesn't have to try to parse through the ELF sections looking for the
> capabilities-to-drop information, and possibily modifying ELF sections
> as well, which adds a *lot* of complexity.
It accomplishes several things.
1) legacy support ie. use same old sources for awhile
2) can be easily varified with external tools.
3) proven to be accomplished very early in the processes lifetime
4) tweakable -- norecompile needed
5) self contained configuration
> So this would be a very simple model where you just have a setuid root
> program, and it could simply drop some or all of its
> privileges/capabilities at any point in its execution --- perhaps at the
> beginning, perhaps later on in the execution of the program, etc. It's
> more flexible and simpler than the setuid-root-and-use-ELF approach.
Yes but it lacks a few things that I'd like to see and it doesn't stop you
from using the new api's to change things during the processes but doesn't
require it.
> If people are looking for a short term hack, this is it. It doesn't
> require making any changes to the kernel, or any changes to any
> user-land administrative tools, nor do we need to teach administrators
> how to set these magic bits in the ELF headers. All we have to do is
> add the code into the daemons themselves. It doesn't give you the power
> of the full POSIX capabilities model, but it is better than nothing;
> it's simple, and it won't break things in the future if and when we
> finally get around to implementing the full POSIX capabilities model.
Other kernel changes are needed. Did you see what happens in the present
kernel when you do an exec or cast out root from ruid and euid?
The patch I have out tries addressing some of those issues also.

As another intersting observation right now elf headers also have the
interesting property of being the only gate that know of to get non-root
cap-enhanced processes that I've seen for the linux kernel.
The standard legacy behavior of the present kernel makes it impossible to
keep caps when you become non-root.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Albert D. Cahalan: "Re: Caps in elf: discussion stopper [was Re: caps in elf headers: use the sticky bit!]"
Previous message: Y2K: "Re: inheritable set [was Re: caps in elf headers: use the sticky"
In reply to: tytso@mit.edu: "Re: Caps in elf: discussion stopper [was Re: caps in elf headers: use the sticky bit!]"
Next in thread: Albert D. Cahalan: "Re: Caps in elf: discussion stopper [was Re: caps in elf headers: use the sticky bit!]"