Re: [RFC] [PATCH] file posix capabilities

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joshua Brindle <method@gentoo.org>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: "Serge E. Hallyn" <serue@us.ibm.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Nicholas Miell <nmiell@comcast.net>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	lkml <linux-kernel@vger.kernel.org>,
	linux-security-module@vger.kernel.org, chrisw@sous-sol.org
Subject: Re: [RFC] [PATCH] file posix capabilities
Date: Thu, 17 Aug 2006 08:00:48 -0400	[thread overview]
Message-ID: <44E45A70.8090801@gentoo.org> (raw)
In-Reply-To: <1155734401.18911.33.camel@moss-spartans.epoch.ncsc.mil>

Stephen Smalley wrote:
> On Tue, 2006-08-15 at 21:42 -0500, Serge E. Hallyn wrote:
>   
> <snip>
>> Very good point.  Preventing communication channels i.e. through signals
>> isn't a concern, but user hallyn ptracing himself running /bin/passwd
>> certainly is.
>>     
>
> Actually, ptrace already performs a capability comparison (cap_ptrace).
> Wrt signals, it wasn't the communication channel that concerned me but
> the ability to interfere with the operation of a process running in the
> same uid but different capabilities, like stopping it at a critical
> point.  Likewise with many other task hooks - you wouldn't want to be
> able to depress the priority of a process running with greater
> capabilities.
>
>   
On this point, what about environment tampering of processes with caps? 
LD_PRELOAD=my_bad_lib.so /usr/bin/passwd. glibc atsecure logic would 
have to be updated to do a capability comparison.

> One other point to consider is Solaris seems to have diverged from their
> own past approaches for privileges/capabilities,
> http://blogs.sun.com/casper/20040722
> http://www.opensolaris.org/os/community/security/library/howto/privbracket/
>
> Doesn't sound like they are even using file capabilities at all.
>
> Also, think about the real benefits of capabilities, at least as defined
> in Linux.  The coarse granularity and the lack of any per-object support
> is a fairly significant deficiency there that is much better handled via
> TE.  At least some of the Linux capabilities lend themselves to easy
> privilege escalation to gaining other capabilities or effectively
> bypassing them

next prev parent reply	other threads:[~2006-08-17 12:01 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-07-30  1:13 [RFC] [PATCH] file posix capabilities Serge E. Hallyn
2006-08-14 22:06 ` Serge E. Hallyn
2006-08-15  0:20   ` Eric W. Biederman
2006-08-15  2:06     ` Serge E. Hallyn
2006-08-15  3:29       ` Eric W. Biederman
2006-08-15  4:22         ` Nicholas Miell
2006-08-15 11:49           ` Serge E. Hallyn
2006-08-15 12:20             ` Serge E. Hallyn
2006-08-15 19:31               ` Nicholas Miell
2006-08-15 19:41                 ` Serge E. Hallyn
2006-08-15 16:18             ` Stephen Smalley
2006-08-15 16:36               ` Casey Schaufler
2006-08-16  2:42               ` Serge E. Hallyn
2006-08-16 13:20                 ` Stephen Smalley
2006-08-17 12:00                   ` Joshua Brindle [this message]
2006-08-17 12:28                     ` Stephen Smalley
2006-08-21 20:36                       ` Serge E. Hallyn
2006-08-28 21:39                         ` Serge E. Hallyn
2006-08-29 18:37                           ` Seth Arnold
2006-08-29 19:58                             ` Serge E. Hallyn
2006-08-19  2:02                   ` Crispin Cowan
2006-08-19 17:08                     ` Casey Schaufler
2006-08-22  2:50                     ` Serge E. Hallyn
2006-08-22  3:19                       ` Seth Arnold
2006-08-19  2:02           ` Crispin Cowan
     [not found]   ` <44E1153D.9000102@ak.jp.nec.com>
     [not found]     ` <20060815021612.GC16220@sergelap.austin.ibm.com>
2006-08-15  3:48       ` KaiGai Kohei
2006-08-15 12:04         ` Serge E. Hallyn
2006-08-15 16:02   ` Casey Schaufler
2006-08-16  2:25     ` Serge E. Hallyn
  -- strict thread matches above, loose matches on Subject: below --
2006-08-16  2:43 Albert Cahalan
2006-08-16  3:23 ` Serge E. Hallyn
2006-08-16  3:44 ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44E45A70.8090801@gentoo.org \
    --to=method@gentoo.org \
    --cc=chrisw@sous-sol.org \
    --cc=ebiederm@xmission.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nmiell@comcast.net \
    --cc=sds@tycho.nsa.gov \
    --cc=serge@hallyn.com \
    --cc=serue@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.