> > Hi,
> >
> > I just noticed that the kernel executes "modprobe" with _all_ capabilities
> > raised.
>
> You're seriously considering enabling module autoloading a secure system?
No, not really.
However, someone might disable module loading by revoking the relevant
capabilities from the entire system (rather than compiling out module
loading). You might say this is foolish, but there are reasons to do this
- perhaps "init" is privileged with passworded access, for those occasions
when new modules are required.
Given the above situation, it is dangerous to issue _all_ capabilities to
a userland program (modprobe) which may be subverted.
Put another way, if I have a shell with various capabilities permantently
revoked (RAW_IO, MODULE, etc), then insmod is not available to me. However
I can open /dev/something, and cause a program with _all_ capabilities to
act on my behalf. I offered several ways of subverting that program in my
previous mail.
Chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/