Re: [PATCH][RFC] 2.5.44 (1/2): Filesystem capabilities kernel patch

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andreas Gruenbacher <agruen@suse.de>
To: <chris@scary.beasts.org>,
	Olaf Dietsche <olaf.dietsche#list.linux-kernel@t-online.de>
Cc: <linux-kernel@vger.kernel.org>, Ulrich Drepper <drepper@redhat.com>
Subject: Re: [PATCH][RFC] 2.5.44 (1/2): Filesystem capabilities kernel patch
Date: Tue, 29 Oct 2002 03:23:09 +0100	[thread overview]
Message-ID: <200210290323.09565.agruen@suse.de> (raw)
In-Reply-To: <Pine.LNX.4.33.0210282327520.8990-100000@sphinx.mythic-beasts.com>

On Tuesday 29 October 2002 00:36, chris@scary.beasts.org wrote:
> On Mon, 28 Oct 2002, Olaf Dietsche wrote:
> > Solving the last issue (checking access to the capabilities database)
> > involves filesystem support, I guess. So, this will be the next step
> > to address.
> >
> > If you're careful with giving away capabilities however, this patch
> > can make your system more secure as it is. But this isn't fully
> > explored, so you might achieve the opposite and open new security
> > holes.
>
> Have you checked how glibc handles an executable with filesystem
> capabilities? e.g. can an LD_PRELOAD hack subvert the privileged
> executable?
> I'm not sure what the current glibc security check is, but it used to be
> simple *uid() vs. *euid() checks. This would not catch an executable with
> filesystem capabilities.
> Have a look at
> http://security-archive.merton.ox.ac.uk/security-audit-199907/0192.html

It seems an additional mechanism is needed to prevent LD_PRELOAD from loading 
non-standard libraries for executables that are not suid/sgid, if those 
executables have any effective or permitted capabilities that the calling 
process doesn't have already.

This shouldn't be too hard; perhaps Ulrich has an opinion on that.

> I think the eventual plan was that we pass the kernel's current->dumpable
> as an ELF note. Not sure if it got done. Alternatively glibc could use
> prctl(PR_GET_DUMPABLE).

Sorry, I don't know exactly what was your plan here. Could you please explain?

A perhaps unrelated note: We once had Pavel Machek's elfcap implementation, in 
which capabilities were stored in ELF. This was a bad idea because being able 
to create executables does not imply the user is capable of CAP_SETFCAP, and 
users shouldn't be able to freely choose their capabilities :-] We still want 
to be able to grant additional capabilities to a binary that are not owned by 
root though. Extended attributes to overcome this limitation.

There also has to be a mechanism to drop capabilities off binaries if they are 
written to (on write or perhaps on open).

The final goal would be the `incapable root user', i.e., we would not give 
suid root binaries any capabilities except those that are explicitly defined.

--Andreas.

next prev parent reply	other threads:[~2002-10-29  2:28 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-10-18 19:07 [PATCH][RFC] 2.5.42 (1/2): Filesystem capabilities kernel patch Olaf Dietsche
2002-10-18 23:00 ` Alexander Viro
2002-10-19  0:07   ` Olaf Dietsche
2002-10-19  0:25     ` Alexander Viro
2002-10-24 12:25       ` [PATCH][RFC] 2.5.44 " Olaf Dietsche
2002-10-28 22:56         ` Olaf Dietsche
2002-10-28 23:36           ` chris
2002-10-29  0:20             ` Olaf Dietsche
2002-10-29  1:08               ` Olaf Dietsche
2002-10-29 11:08                 ` Olaf Dietsche
2002-10-29 11:18                 ` Chris Evans
2002-10-29  2:23             ` Andreas Gruenbacher [this message]
2002-10-29 11:09               ` Olaf Dietsche
2002-10-29 11:35                 ` Andreas Gruenbacher
2002-10-29 12:04                 ` __libc_enable_secure check (was: [PATCH][RFC] 2.5.44 (1/2): Filesystem capabilities kernel patch) Olaf Dietsche
2002-10-29 14:38                 ` [PATCH][RFC] 2.5.44 (1/2): Filesystem capabilities kernel patch Olaf Dietsche
2002-10-20  0:24 ` [PATCH][RFC] 2.5.42 " Andreas Gruenbacher
2002-10-21 15:25   ` Olaf Dietsche
2002-10-21 22:03     ` Andreas Gruenbacher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200210290323.09565.agruen@suse.de \
    --to=agruen@suse.de \
    --cc=chris@scary.beasts.org \
    --cc=drepper@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=olaf.dietsche#list.linux-kernel@t-online.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.