From: Pavel Machek <pavel@ucw.cz>
To: David Madore <david.madore@ens.fr>
Cc: Linux Kernel mailing-list <linux-kernel@vger.kernel.org>
Subject: Re: patch to make Linux capabilities into something useful (v 0.3.1)
Date: Sat, 9 Sep 2006 11:40:38 +0000 [thread overview]
Message-ID: <20060909114037.GA4277@ucw.cz> (raw)
In-Reply-To: <20060908225118.GB877@clipper.ens.fr>
Hi!
> > Well, you claim it is as safe as possible, and it is not quite.
>
> I claim "safe enough". :-)
Ok, state 'this allows nasty user to induce failures in setgid
programs it execs' in changelog when you submit.
No, I do not think 'safe enough' is good enough for little or no gain.
> > I can bet someone will get the fork() case wrong:
> >
> > f = fork();
> > kill(f);
> >
> > fork will return -1, and kill will kill _all_ the processes.
>
> Someone who writes code like that deserves to get all his processes
> killed. :-p
...as does someone who introduces known-bad security-related changes
withou *very* good reason.
> fork() can fail for a million reasons, some of which, on
> most systems,
'on most systems' is keyword here, and remember that other ways of
inducing fork failures are normally very easy to detect.
Also... fork was first example. There are probably better examples.
> > If you can find another uid to hijack, that other uid has bad
> > problems. And I do not think you'll commonly find another uid to
> > hijack.
>
> How about another gid, then? Should we reset all caps on sgid exec?
Yes. Any setuid/setgid exec is a security barrier, and weird (or new)
semantics may not cross that barrier.
> Ultimately a compromise is to be reached between security and
> flexibility... The problem is, I don't know who should make the
> decision.
Go for security here. (Normally, consensus on the list is needed for
merging the patch).
> > Or just remove CAP_REG_XUID_EXEC when removing any other CAP_REG...?
>
> Doable, but ugly (or so I think): there are many paths that set
No, I meant 'teach users to remove CAP_REG_XUID_EXEC when removing
others'.
> caps... A simpler solution would be to remove the test on
> CAP_REG_SXID and instead test on all regular caps simultaneously.
> Still, I really don't like the idea.
Agreed, I'd call that slightly ugly.
> > It is not too bad; you'll usually not want restricted programs to exec
> > anything setuid... (Do you have example where
> > restricted-but-should-be-able-to-setuid-exec makes sense?)
>
> Well, I could imagine that a paranoid sysadmin might want some users'
> processes to run without this or that capability (perhaps
> CAP_REG_PTRACE or some other yet-to-be-defined capability). This
> doesn't mean that they shouldn't be able to run a game which runs sgid
> in order to write the score file.
...so you prefer enabling DoS attack on the core file. I bet some
combination of your new capabilities will allow game to lock the core
file, but make it crash without unlocking it.
Or do you volunteer to audit all the games in Debian each time new
capability is added? :-)
Pavel
--
Thanks for all the (sleeping) penguins.
next prev parent reply other threads:[~2006-09-10 9:34 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-05 21:26 patch to make Linux capabilities into something useful (v 0.3.1) David Madore
2006-09-06 0:27 ` Casey Schaufler
2006-09-06 10:06 ` David Madore
2006-09-06 13:26 ` David Madore
2006-09-07 0:11 ` Casey Schaufler
2006-09-07 0:32 ` David Madore
2006-09-07 1:01 ` Casey Schaufler
2006-09-07 1:29 ` David Wagner
2006-09-07 16:00 ` Casey Schaufler
2006-09-07 18:33 ` David Wagner
2006-09-07 17:34 ` David Madore
2006-09-07 19:38 ` Bernd Eckenfels
2006-09-07 23:00 ` Pavel Machek
2006-09-08 1:22 ` Bernd Eckenfels
2006-09-08 10:45 ` Pavel Machek
2006-09-08 16:08 ` Casey Schaufler
2006-09-08 14:39 ` Pavel Machek
2006-09-08 19:10 ` Bernd Eckenfels
2006-09-07 22:54 ` Pavel Machek
2006-09-08 4:10 ` David Madore
2006-09-08 10:52 ` Pavel Machek
2006-09-08 22:51 ` David Madore
2006-09-09 0:11 ` Casey Schaufler
2006-09-09 11:59 ` Pavel Machek
2006-09-09 11:40 ` Pavel Machek [this message]
2006-09-10 10:41 ` David Madore
2006-09-10 13:06 ` Pavel Machek
2006-09-10 14:25 ` capability inheritance (was: Re: patch to make Linux capabilities into something useful (v 0.3.1)) David Madore
2006-09-10 22:42 ` Pavel Machek
2006-09-11 16:00 ` Casey Schaufler
2006-09-11 17:39 ` David Madore
2006-09-09 0:59 ` patch to make Linux capabilities into something useful (v 0.3.1) David Wagner
2006-09-09 12:49 ` David Madore
2006-09-09 23:18 ` Theodore Tso
2006-09-10 10:13 ` David Madore
2006-09-10 12:36 ` Pavel Machek
2006-09-10 23:24 ` Theodore Tso
2006-09-11 8:09 ` Pavel Machek
2006-09-06 18:25 ` Serge E. Hallyn
2006-09-06 22:27 ` David Madore
2006-09-07 0:04 ` David Madore
2006-09-07 23:06 ` Serge E. Hallyn
2006-09-08 4:16 ` David Madore
2006-09-07 6:43 ` Jan Engelhardt
2006-09-07 23:02 ` Serge E. Hallyn
2006-09-08 1:08 ` David Madore
2006-09-08 1:31 ` Serge E. Hallyn
2006-09-08 21:45 ` David Madore
2006-09-07 18:21 ` James Antill
2006-09-07 18:33 ` Kyle Moffett
2006-09-07 20:05 ` James Antill
2006-09-08 4:00 ` David Madore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060909114037.GA4277@ucw.cz \
--to=pavel@ucw.cz \
--cc=david.madore@ens.fr \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox