From: "Theodore Ts'o" <tytso@mit.edu>
To: Michael Glasgow <glasgow@beer.net>
Cc: linux-kernel@vger.kernel.org
Subject: Re: posix capabilities inheritance
Date: Thu, 23 Oct 2003 18:59:03 -0400 [thread overview]
Message-ID: <20031023225903.GB3719@thunk.org> (raw)
In-Reply-To: <200310232205.h9NM5eOc004400@dark.beer.net>
On Thu, Oct 23, 2003 at 05:05:40PM -0500, Michael Glasgow wrote:
> Even with selective capability inheritance enabled in this fashion,
> it is still possible to avoid using it and modify programs directly,
> if you think that's more secure. Personally, I think that in some
> cases it's slightly more secure to have a very small (statically
> linked) setuid wrapper program which sets up capabilities properly
> than to make a very large program setuid-root (when it was not
> designed to run as root), only to add one capability.
>
> Yes, you can do the capability-setup first thing in main()... but
> this is occasionally insufficient. Also, it makes it a pain to
> have, for instance, a backup user with CAP_DAC_READ_SEARCH who is
> able to run several apps, e.g. dump, tar, cpio, rsync, etc. from
> a restricted shell.
>
> The code to drop privs is not hard, but it's also not trivial.
> Those without a clue are just as likely to screw it up as they are
> a wrapper; and anyway since when did it become a design goal for
> the kernel to cater to the ineptitude of the clueless? That sounds
> more like a Redmond, Washington philosophy than one fit for Linux. :-)
Modifying source code requires programming capabilities, which means
that the most clueless won't do it at all. It's something that needs
to be done by the upstream authors, or perhaps by the distributions,
at which point the clueless will get it when they upgrade.
It's not matter of catering to the ineptitude of the clueless but
pursueing a design which doesn't leave an open manhole cover where a
clueless system administrator can screw up and put their entire system
at risk. Consider that even if the distributions ship a package using
your system, there will be a config file which will be an opportunity
for a system administrator to screw up. In general, for any
particular system program, there is only one acceptable setting in
terms of what capabilities it will need. So why make it be something
which can be screwed up in a config file?
Fix it once, by a programmer who knows what he/she is doing, and the
problem is fixed for everyone. Furthermore, it will be more efficient
since it avoids an exec and requirement for a program to parse a
config file.
- Ted
next prev parent reply other threads:[~2003-10-23 22:59 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fa.f4bs2b4.fhub0m@ifi.uio.no>
2003-10-23 22:05 ` posix capabilities inheritance Michael Glasgow
2003-10-23 22:59 ` Theodore Ts'o [this message]
2003-10-24 1:36 ` Ernie Petrides
2003-10-24 2:19 ` Bernd Eckenfels
2003-10-24 5:10 ` Ernie Petrides
2003-10-25 19:51 ` Pavel Machek
[not found] <fa.f26d55g.1qgijbi@ifi.uio.no>
[not found] ` <fa.hq0dft9.9i0obd@ifi.uio.no>
2003-10-24 21:24 ` Andy Lutomirski
[not found] <fa.n4rmmgg.2423pm@ifi.uio.no>
[not found] ` <fa.l1oevhb.1s5k583@ifi.uio.no>
2003-10-24 8:44 ` Andy Lutomirski
2003-10-24 12:41 ` Theodore Ts'o
2003-10-24 16:44 ` Andy Lutomirski
2003-10-24 20:58 ` David Wagner
2003-10-23 1:41 Albert Cahalan
[not found] <fa.f9mv0tb.27sf3j@ifi.uio.no>
2003-10-23 1:36 ` Michael Glasgow
2003-10-23 1:57 ` Andy Lutomirski
[not found] <fa.f36f4t9.1rg8j3v@ifi.uio.no>
2003-10-22 7:11 ` Michael Glasgow
2003-10-22 19:40 ` Andy Lutomirski
[not found] <fa.hehull9.10mmngt@ifi.uio.no>
2003-10-21 18:24 ` Andy Lutomirski
-- strict thread matches above, loose matches on Subject: below --
2003-10-21 11:26 Michael Glasgow
2003-10-23 16:46 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20031023225903.GB3719@thunk.org \
--to=tytso@mit.edu \
--cc=glasgow@beer.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.