Re: posix capabilities inheritance

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Theodore Ts'o" <tytso@mit.edu>
To: Michael Glasgow <glasgowNOSPAM@beer.net>
Cc: linux-kernel@vger.kernel.org
Subject: Re: posix capabilities inheritance
Date: Thu, 23 Oct 2003 12:46:16 -0400	[thread overview]
Message-ID: <20031023164616.GA552@thunk.org> (raw)
In-Reply-To: <200310211126.h9LBQjx4097592@dark.beer.net>

On Tue, Oct 21, 2003 at 06:26:45AM -0500, Michael Glasgow wrote:
> I wrote a simple setuid-root wrapper which sets some capabilities, 
> gives up all other privs, and and then execs a shell.  I was hoping
> to use this wrapper as a login shell so that I could have a user  
> log in interactively with a small subset of elevated privileges.
> 
> Unfortunately after looking over the capabilities code in the 2.4
> kernel, it would appear that this is not currently possible, and
> my wrapper cannot work without filesystem support for capabilities.
> And even then, I'd have to set each file's inheritable flag for the
> capabilities I want on every executable that I am likely to run,
> including the shell.  Am I mising something, or is this an accurate
> description?

No, you're not missing anything.

What happened here is that originally there was a security
vulnerability caused by an a badly desgined attempt to take advantage
of capabilities without filesystem support.  In order to fix it, the
patch took a very conservative path, which completely disabled the use
of selective capability inheritance.  (Capabilities are still useful,
but only in setuid root programs that selectively drop unneeded
capabilities --- still in my opinion the best way to use capabilities,
BTW).

> As an interim workaround, how about assuming all capabilities are
> inheritable in fs/exec.c:prepare_binprm, i.e. instead of
> cap_clear(bprm->cap_inheritable), call cap_set_full() ???  I don't
> think this would break anything, and it would make capabilities a
> lot more useful until we get fs support merged in.

I agree this is safe, and allows the use of your setuid wrapper
script.  The one reason why I think it's better to modify programs is
that it's too easy for individual system administrators to screw up
the configuration used by your wrapper script, and accidentally
introduce a security vulnerability into their system.  It's dangerous
to give a program some capability (or reduce the capability given to a
program designed to be setuid) without examining the source code and
being clueful.  So by making the program setuid and editing the source
code to add an explicit capability drop in the program is much, much
safer compared to having a random system administrator to edit a
config file and trust that he or she does so correctly.

						- Ted

next prev parent reply	other threads:[~2003-10-23 16:50 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-10-21 11:26 posix capabilities inheritance Michael Glasgow
2003-10-23 16:46 ` Theodore Ts'o [this message]
     [not found] <fa.hehull9.10mmngt@ifi.uio.no>
2003-10-21 18:24 ` Andy Lutomirski
     [not found] <fa.f36f4t9.1rg8j3v@ifi.uio.no>
2003-10-22  7:11 ` Michael Glasgow
2003-10-22 19:40   ` Andy Lutomirski
     [not found] <fa.f9mv0tb.27sf3j@ifi.uio.no>
2003-10-23  1:36 ` Michael Glasgow
2003-10-23  1:57   ` Andy Lutomirski
  -- strict thread matches above, loose matches on Subject: below --
2003-10-23  1:41 Albert Cahalan
     [not found] <fa.f4bs2b4.fhub0m@ifi.uio.no>
2003-10-23 22:05 ` Michael Glasgow
2003-10-23 22:59   ` Theodore Ts'o
2003-10-24  1:36   ` Ernie Petrides
2003-10-24  2:19     ` Bernd Eckenfels
2003-10-24  5:10       ` Ernie Petrides
2003-10-25 19:51     ` Pavel Machek
     [not found] <fa.n4rmmgg.2423pm@ifi.uio.no>
     [not found] ` <fa.l1oevhb.1s5k583@ifi.uio.no>
2003-10-24  8:44   ` Andy Lutomirski
2003-10-24 12:41     ` Theodore Ts'o
2003-10-24 16:44       ` Andy Lutomirski
2003-10-24 20:58         ` David Wagner
     [not found] <fa.f26d55g.1qgijbi@ifi.uio.no>
     [not found] ` <fa.hq0dft9.9i0obd@ifi.uio.no>
2003-10-24 21:24   ` Andy Lutomirski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20031023164616.GA552@thunk.org \
    --to=tytso@mit.edu \
    --cc=glasgowNOSPAM@beer.net \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.