From: "J. Bruce Fields" <bfields@fieldses.org>
To: Jeff Layton <jlayton@redhat.com>
Cc: steved@redhat.com, linux-nfs@vger.kernel.org
Subject: Re: [PATCH] nfsdcld: add support for dropping capabilities
Date: Tue, 8 May 2012 16:08:48 -0400 [thread overview]
Message-ID: <20120508200848.GD17669@fieldses.org> (raw)
In-Reply-To: <20120508160343.1114f01c@corrin.poochiereds.net>
On Tue, May 08, 2012 at 04:03:43PM -0400, Jeff Layton wrote:
> With this, root is basically a user like any other. He has to have
> explicit permissions to access anything. If another user owns a file
> and it's not world readable (or group readable by a group to which root
> is a member), then the process won't be able to read it. Granted, a lot
> of files are owned by root on a typical machine,
... including, looking at my Fedora box, /etc/passwd, /etc/shadow, the
entire contents of /usr/bin, all sorts of interesting /proc files....
Sounds like game over? Maybe not if selinux or something else
intervenes.
> but this should still
> prevent access to any that aren't.
>
> This also trims out all of the other extraneous stuff we don't need --
> being able to bind to low sockets, traverse directories in which root
> has no explicit access, chown ability, etc...
>
> There are a couple of other approaches we could take here instead:
>
> 1) we could run as an unprivileged user and keep CAP_DAC_OVERRIDE.
> I think that's less safe than what I'm doing here though...
>
> 2) we could teach the kernel to create the pipe with a different owner
> and then run the daemon as a non-root user. That means we'd need some
> mechanism to tell the kernel what we want that owner to be. I'm not
> sure how that would work in practice -- maybe a new file
> in /proc/fs/nfsd ?
>
> In any case, I think this is probably good enough for now. This daemon
> doesn't listen on a socket or anything so any compromise of it would
> be a local one. Users also don't generally interact with it directly,
> so you'd need to jump through some hoops in order to break it I'd
> think.
Sure.
--b.
prev parent reply other threads:[~2012-05-08 20:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-08 15:41 [PATCH] nfsdcld: add support for dropping capabilities Jeff Layton
2012-05-08 19:34 ` J. Bruce Fields
2012-05-08 20:03 ` Jeff Layton
2012-05-08 20:08 ` J. Bruce Fields [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120508200848.GD17669@fieldses.org \
--to=bfields@fieldses.org \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.