Modifying kernel so that non-root users have some root capabilities

Modifying kernel so that non-root users have some root capabilities

[Laughlin, Joseph V]

(not sure if this is a duplicate or not.. Apologies in advance.)

I've been tasked with modifying a 2.4 kernel so that a non-root user can
do the following:

Dynamically change the priorities of processes (up and down)
Lock processes in memory
Can change process cpu affinity

Anyone got any ideas about how I could start doing this?  (I'm new to
kernel development, btw.)

Thanks,


Joe Laughlin
Phantom Works - Integrated Technology Development Labs 
The Boeing Company

Re: Modifying kernel so that non-root users have some root capabilities

[Steve Youngs]

* Joseph V Laughlin <Laughlin> writes:

  > I've been tasked with modifying a 2.4 kernel so that a non-root user can
  > do the following:

  > Dynamically change the priorities of processes (up and down)
  > Lock processes in memory
  > Can change process cpu affinity

I'm assuming that there are user-land tools to do these things now for
root, right?  So why not look into things like sudo(8) or even setuid
executables? 


-- 
|---<Steve Youngs>---------------<GnuPG KeyID: A94B3003>---|
|              Ashes to ashes, dust to dust.               |
|      The proof of the pudding, is under the crust.       |
|----------------------------------<steve@youngs.au.com>---|

Re: Modifying kernel so that non-root users have some root capabilities

[Neale Banks]

On Mon, 24 May 2004, Laughlin, Joseph V wrote:

> I've been tasked with modifying a 2.4 kernel so that a non-root user can
> do the following:
> 
> Dynamically change the priorities of processes (up and down)
> Lock processes in memory
> Can change process cpu affinity
> 
> Anyone got any ideas about how I could start doing this? 

Have you had a look at kernel capabilities?

E.g. CAP_SYS_NICE in linux/include/kernel/capability.h might be somewhat
interesting.

> (I'm new to kernel development, btw.)

No offence implied, but questions like this are better addressed in a
forum such as the kernelnewbies list, see:
http://www.kernelnewbies.org/mailinglist.php3

HTH,
Neale.

RE: Modifying kernel so that non-root users have some root capabilities

[Laughlin, Joseph V]

> -----Original Message-----
> From: Steve Youngs [mailto:steve@youngs.au.com] 
> Sent: Monday, May 24, 2004 4:24 PM
> To: Linux Kernel List
> Cc: Laughlin, Joseph V
> Subject: Re: Modifying kernel so that non-root users have 
> some root capabilities
> 
> 
> * Joseph V Laughlin <Laughlin> writes:
> 
>   > I've been tasked with modifying a 2.4 kernel so that a 
> non-root user can
>   > do the following:
> 
>   > Dynamically change the priorities of processes (up and down)
>   > Lock processes in memory
>   > Can change process cpu affinity
> 
> I'm assuming that there are user-land tools to do these 
> things now for root, right?  So why not look into things like 
> sudo(8) or even setuid executables? 
> 

In short, it comes down to permissions problems with NFS mounted
directories, combined with Rational ClearCase issues, combined with
stringent security requirements.

Re: Modifying kernel so that non-root users have some root capabilities

[Andy Lutomirski]

Laughlin, Joseph V wrote:
> (not sure if this is a duplicate or not.. Apologies in advance.)
> 
> I've been tasked with modifying a 2.4 kernel so that a non-root user can
> do the following:
> 
> Dynamically change the priorities of processes (up and down)
> Lock processes in memory
> Can change process cpu affinity

Capabilities should do this, but they don't.  See the huge thread
on capabilities these past couple weeks.

You're probably best off with a setuid-root executable.

--Andy

Re: Modifying kernel so that non-root users have some root capabilities

[Chris Wright]

* Laughlin, Joseph V (Joseph.V.Laughlin@boeing.com) wrote:
> > From: Steve Youngs [mailto:steve@youngs.au.com] 
> > 
> > I'm assuming that there are user-land tools to do these 
> > things now for root, right?  So why not look into things like 
> > sudo(8) or even setuid executables? 
> 
> In short, it comes down to permissions problems with NFS mounted
> directories, combined with Rational ClearCase issues, combined with
> stringent security requirements.

Uh-oh, sounds like an insurmountable problem ;-) Well, keep in mind that
CAP_SYS_NICE and CAP_IPC_LOCK can DoS a machine pretty nicely.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

Re: Modifying kernel so that non-root users have some root capabilities

[Richard B. Johnson]

On Mon, 24 May 2004, Laughlin, Joseph V wrote:

> (not sure if this is a duplicate or not.. Apologies in advance.)
>
> I've been tasked with modifying a 2.4 kernel so that a non-root user can
> do the following:
>
> Dynamically change the priorities of processes (up and down)
> Lock processes in memory
> Can change process cpu affinity
>
> Anyone got any ideas about how I could start doing this?  (I'm new to
> kernel development, btw.)
>
> Thanks,

You don't modify an operating system to do that!! You just make
a priviliged program (setuid) that does the things you want.

You can even transparently send the requests to your daemon so that
existing programs that expect to do such things don't need to
be modified (hint LD_PRELOAD).

Cheers,
Dick Johnson
Penguin : Linux version 2.4.26 on an i686 machine (5570.56 BogoMips).
            Note 96.31% of all statistics are fiction.

Re: Modifying kernel so that non-root users have some root capabilities

[David T Hollis]

On Mon, 2004-05-24 at 15:21 -0700, Laughlin, Joseph V wrote:
> (not sure if this is a duplicate or not.. Apologies in advance.)
> 
> I've been tasked with modifying a 2.4 kernel so that a non-root user can
> do the following:
> 
> Dynamically change the priorities of processes (up and down)
> Lock processes in memory
> Can change process cpu affinity
> 
> Anyone got any ideas about how I could start doing this?  (I'm new to
> kernel development, btw.)
> 
> Thanks,
> 
It's these sorts of things that make Windows so unstable.  As others
have suggested, the considerably safer alternatives have already
surfaced, been around, had the tires kicked etc. in the form of setuid,
sudo, or kernel capabilities.  Some of these things may even be possible
from SELinux, but I'm not certain.

-- 
David T Hollis <dhollis@davehollis.com>

Re: Modifying kernel so that non-root users have some root capabilities

[Bill Davidsen]

Richard B. Johnson wrote:
> On Mon, 24 May 2004, Laughlin, Joseph V wrote:
> 
> 
>>(not sure if this is a duplicate or not.. Apologies in advance.)
>>
>>I've been tasked with modifying a 2.4 kernel so that a non-root user can
>>do the following:
>>
>>Dynamically change the priorities of processes (up and down)
>>Lock processes in memory
>>Can change process cpu affinity
>>
>>Anyone got any ideas about how I could start doing this?  (I'm new to
>>kernel development, btw.)
>>
>>Thanks,
> 
> 
> You don't modify an operating system to do that!! You just make
> a priviliged program (setuid) that does the things you want.

Dick, it's called capabilities, and people have already modified the 
operating system to do that, it just doesn't work quite as intended in 
some cases. Setuid is the keys to the kingdom, you really don't want to 
use setuid root unless there's no other way.

Remember when everything used to take the BKL? Then people saw a better 
way. Capabilities is the same kind of progression, save the big hammer 
for the big nail.

-- 
    -bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
  last possible moment - but no longer"  -me

RE: Modifying kernel so that non-root users have some root capabilities

[Laughlin, Joseph V]

> -----Original Message-----
> From: Bill Davidsen [mailto:davidsen@tmr.com] 
> Sent: Tuesday, May 25, 2004 11:14 AM
> To: root@chaos.analogic.com
> Cc: Laughlin, Joseph V; linux-kernel@vger.kernel.org
> Subject: Re: Modifying kernel so that non-root users have 
> some root capabilities
> 
> 
> Richard B. Johnson wrote:
> > On Mon, 24 May 2004, Laughlin, Joseph V wrote:
> > 
> > 
> >>(not sure if this is a duplicate or not.. Apologies in advance.)
> >>
> >>I've been tasked with modifying a 2.4 kernel so that a 
> non-root user 
> >>can do the following:
> >>
> >>Dynamically change the priorities of processes (up and down) Lock 
> >>processes in memory Can change process cpu affinity
> >>
> >>Anyone got any ideas about how I could start doing this?  
> (I'm new to 
> >>kernel development, btw.)
> >>
> >>Thanks,
> > 
> > 
> > You don't modify an operating system to do that!! You just make a 
> > priviliged program (setuid) that does the things you want.
> 
> Dick, it's called capabilities, and people have already modified the 
> operating system to do that, it just doesn't work quite as 
> intended in 
> some cases. Setuid is the keys to the kingdom, you really 
> don't want to 
> use setuid root unless there's no other way.
> 
> Remember when everything used to take the BKL? Then people 
> saw a better 
> way. Capabilities is the same kind of progression, save the 
> big hammer 
> for the big nail.
> 

In what cases does changing the capabilities not have the intended
effects?

Thanks,
Joe 

Re: Modifying kernel so that non-root users have some root capabilities

[Bill Davidsen]

Laughlin, Joseph V wrote:
>>-----Original Message-----
>>From: Bill Davidsen [mailto:davidsen@tmr.com] 
>>Sent: Tuesday, May 25, 2004 11:14 AM
>>To: root@chaos.analogic.com
>>Cc: Laughlin, Joseph V; linux-kernel@vger.kernel.org
>>Subject: Re: Modifying kernel so that non-root users have 
>>some root capabilities
>>
>>
>>Richard B. Johnson wrote:
>>
>>>On Mon, 24 May 2004, Laughlin, Joseph V wrote:
>>>
>>>
>>>
>>>>(not sure if this is a duplicate or not.. Apologies in advance.)
>>>>
>>>>I've been tasked with modifying a 2.4 kernel so that a 
>>
>>non-root user 
>>
>>>>can do the following:
>>>>
>>>>Dynamically change the priorities of processes (up and down) Lock 
>>>>processes in memory Can change process cpu affinity
>>>>
>>>>Anyone got any ideas about how I could start doing this?  
>>
>>(I'm new to 
>>
>>>>kernel development, btw.)
>>>>
>>>>Thanks,
>>>
>>>
>>>You don't modify an operating system to do that!! You just make a 
>>>priviliged program (setuid) that does the things you want.
>>
>>Dick, it's called capabilities, and people have already modified the 
>>operating system to do that, it just doesn't work quite as 
>>intended in 
>>some cases. Setuid is the keys to the kingdom, you really 
>>don't want to 
>>use setuid root unless there's no other way.
>>
>>Remember when everything used to take the BKL? Then people 
>>saw a better 
>>way. Capabilities is the same kind of progression, save the 
>>big hammer 
>>for the big nail.
>>
> 
> 
> In what cases does changing the capabilities not have the intended
> effects?

Don't read that as "existing capabilities don't work," but as 
"capabilities don't exist for all the things people claim they need 
setuid root to do." The whole concept of capabilities was going to 
reduce the need and demand for setuid, and hopefully allow setuid to 
vanish in secure systems.

Either through lack of all the necessary bits, or lack of expertise 
using them the goal of reduction in demand and use for setuid seems not 
to have been met. I would argue that lack of need has been met, but 
careful thought seems needed to do some things without setuid.

-- 
    -bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
  last possible moment - but no longer"  -me

Re: Modifying kernel so that non-root users have some root capabilities

[Roger Larsson]

> I've been tasked with modifying a 2.4 kernel so that a non-root user can
> do the following:
> 
> Dynamically change the priorities of processes (up and down)
> Lock processes in memory
> Can change process cpu affinity
> 
> Anyone got any ideas about how I could start doing this? (I'm new to
> kernel development, btw.)

Audio development folks has a SELinux module that does almost this.

"The latest version of the realtime Linux Security Module is now
available on SourceForge...

  
http://prdownloads.sourceforge.net/realtime-lsm/realtime-lsm-0.1.1.tar.gz?download

This release handles changes to the capabilities structure introduced
in Linux 2.6.6, but still works with earlier 2.6 kernels.  There are
no functional changes.  Unless you are running 2.6.6, there is no need
to upgrade.  Changes in the 2.6.6 kernel makefiles affect the
procedure for building the realtime-lsm.  Please consult the INSTALL
instructions for details.

The realtime LSM is an installable kernel module that enables realtime
capabilities for any 2.6 kernel without needing to directly patch the
kernel.  It was written by Torben Hohn and Jack O'Quin, who make no
warranty concerning the safety, security or even stability of your
system when using it.  It is provided under the provisions of the GPL.
-- 
  joq"

Usage like this:
"Once the LSM has been installed and the kernel for which it was built
is running, the root user can load it and pass parameters as follows:

  # modprobe realtime any=1

  Any program can request realtime privileges.  This allows any local
  user to crash the system by hogging the CPU in a tight loop or
  locking down too much memory.  But, it is simple to administer.  :-)

  # modprobe realtime gid=29

  All users belonging to group 29 and programs that are setgid to that
  group have realtime privileges.  Use any group number you like.

  # modprobe realtime mlock=0

  Grants realtime scheduling privileges without the ability to lock
  memory using mlock() or mlockall() system calls.  This option can be
  used in conjunction with any of the other options.
"

/RogerL
(not subscribed but reading archives now and then)

-- 
Roger Larsson
Skellefteå
Sweden