Re: [RFC] [PATCH] file posix capabilities

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Joshua Brindle <method@gentoo.org>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: "Serge E. Hallyn" <serue@us.ibm.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Nicholas Miell <nmiell@comcast.net>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	lkml <linux-kernel@vger.kernel.org>,
	linux-security-module@vger.kernel.org, chrisw@sous-sol.org
Subject: Re: [RFC] [PATCH] file posix capabilities
Date: Thu, 17 Aug 2006 08:00:48 -0400	[thread overview]
Message-ID: <44E45A70.8090801@gentoo.org> (raw)
In-Reply-To: <1155734401.18911.33.camel@moss-spartans.epoch.ncsc.mil>

Stephen Smalley wrote:
> On Tue, 2006-08-15 at 21:42 -0500, Serge E. Hallyn wrote:
>   
> <snip>
>> Very good point.  Preventing communication channels i.e. through signals
>> isn't a concern, but user hallyn ptracing himself running /bin/passwd
>> certainly is.
>>     
>
> Actually, ptrace already performs a capability comparison (cap_ptrace).
> Wrt signals, it wasn't the communication channel that concerned me but
> the ability to interfere with the operation of a process running in the
> same uid but different capabilities, like stopping it at a critical
> point.  Likewise with many other task hooks - you wouldn't want to be
> able to depress the priority of a process running with greater
> capabilities.
>
>   
On this point, what about environment tampering of processes with caps? 
LD_PRELOAD=my_bad_lib.so /usr/bin/passwd. glibc atsecure logic would 
have to be updated to do a capability comparison.

> One other point to consider is Solaris seems to have diverged from their
> own past approaches for privileges/capabilities,
> http://blogs.sun.com/casper/20040722
> http://www.opensolaris.org/os/community/security/library/howto/privbracket/
>
> Doesn't sound like they are even using file capabilities at all.
>
> Also, think about the real benefits of capabilities, at least as defined
> in Linux.  The coarse granularity and the lack of any per-object support
> is a fairly significant deficiency there that is much better handled via
> TE.  At least some of the Linux capabilities lend themselves to easy
> privilege escalation to gaining other capabilities or effectively
> bypassing them

next prev parent reply	other threads:[~2006-08-17 12:01 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-07-30  1:13 [RFC] [PATCH] file posix capabilities Serge E. Hallyn
2006-08-14 22:06 ` Serge E. Hallyn
2006-08-15  0:20   ` Eric W. Biederman
2006-08-15  2:06     ` Serge E. Hallyn
2006-08-15  3:29       ` Eric W. Biederman
2006-08-15  4:22         ` Nicholas Miell
2006-08-15 11:49           ` Serge E. Hallyn
2006-08-15 12:20             ` Serge E. Hallyn
2006-08-15 19:31               ` Nicholas Miell
2006-08-15 19:41                 ` Serge E. Hallyn
2006-08-15 16:18             ` Stephen Smalley
2006-08-15 16:36               ` Casey Schaufler
2006-08-16  2:42               ` Serge E. Hallyn
2006-08-16 13:20                 ` Stephen Smalley
2006-08-17 12:00                   ` Joshua Brindle [this message]
2006-08-17 12:28                     ` Stephen Smalley
2006-08-21 20:36                       ` Serge E. Hallyn
2006-08-28 21:39                         ` Serge E. Hallyn
2006-08-29 18:37                           ` Seth Arnold
2006-08-29 19:58                             ` Serge E. Hallyn
2006-08-19  2:02                   ` Crispin Cowan
2006-08-19 17:08                     ` Casey Schaufler
2006-08-22  2:50                     ` Serge E. Hallyn
2006-08-22  3:19                       ` Seth Arnold
2006-08-19  2:02           ` Crispin Cowan
     [not found]   ` <44E1153D.9000102@ak.jp.nec.com>
     [not found]     ` <20060815021612.GC16220@sergelap.austin.ibm.com>
2006-08-15  3:48       ` KaiGai Kohei
2006-08-15 12:04         ` Serge E. Hallyn
2006-08-15 16:02   ` Casey Schaufler
2006-08-16  2:25     ` Serge E. Hallyn
  -- strict thread matches above, loose matches on Subject: below --
2006-08-16  2:43 Albert Cahalan
2006-08-16  3:23 ` Serge E. Hallyn
2006-08-16  3:44 ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44E45A70.8090801@gentoo.org \
    --to=method@gentoo.org \
    --cc=chrisw@sous-sol.org \
    --cc=ebiederm@xmission.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nmiell@comcast.net \
    --cc=sds@tycho.nsa.gov \
    --cc=serge@hallyn.com \
    --cc=serue@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox