> The argument against this is that it's harder for the system
> administrator to query to see what privileges a program has, and that it
> allows the system administrator to configure the privileges for each
> program.
Actually, query if it drops priviledges before it does anything bad is
probably equivalent to halting problem ;). You could go for programs
carrying proof that they are safe. I don't think that's a way.
> The flip side of it is that most system administrators won't know how to
> configure the capabilities correctly --- may Unix administrators have
> problems with Unix permissions bits, for goodness sake! --- and so
> the
> ability to be able to query the capabilities mask and set the
> capabilities may be a curse, not a blessing. Also, if the selection
You really need at least to be able to query. If I see /bin/ping, I
want to know what permissions it runs with! And ability to set is also
usefull, that way I can take stock Debian 2.1 install and make it
capability-enhanced in 5 minutes.
> which capabilities to drop are determined at configuration time rather
> than compile time, it means that the programs have to be very careful
> about testing how the program behaves under a very wide range of
> circumstances in terms of which capabilities the program might have.
> Furthermore, in reality, there are probably only a very small set of
> configurations (and possibly only one) with both (a) work and (b) are
> secure.
I'd like capabilities masks to be normally set at compile time, in the
long term. But it *must* be possible to list this, and it would be
nice to be able to change capability masks in future.
Yes, I see it is hard to get masks right. That's why I started
http://atrey.karlin.mff.cuni.cz/~pavel/caps/capbase.html; take a look
and correct any mistakes you see. I'd like all authors of secure
programs to add their entries; really only they have knowledge for
nontrivial cases. That's why I started database.
I even have script which looks which executables are configured
insecurely (http://atrey/~pavel/caps/capcheck) (which might actually
configure them in future) -- this is as userfriendly as you can get
it.
> In contrast, if the program simply drops its capabilities as soon as it
> starts up, then the programmer can determine exactly what set of
~~~~~~~~~
That's hard part, because this way dynamic linker + anything run
before main() runs with elevated priviledges. That's problem, at least
for me.
But imagine me going after author of sendmail and asking for
#ifdef LINUX
capabilities_drop( -1 & (~CAP_NET_BIND_SERVICE))
#endif
. I think he would kill me.
Pavel
-- I'm really pavel@ucw.cz. Look at http://195.113.31.123/~pavel. Pavel Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/