lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060407185636.GC3311@suse.de>
Date: Fri Apr  7 21:49:03 2006
From: seth.arnold at suse.de (Seth Arnold)
Subject: [Apparmor-dev] Re: Re: [SC-L] Re:
	[Owasp-dotnet] RE: 4 Questions:Latest IE vulnerability,
	Firefox vs IE security, User vs Admin risk profile,
	and browsers coded in 100% Managed Verifiable code

On Thu, Apr 06, 2006 at 12:01:06PM -0400, Brian Eaton wrote:
> Does cap_setuid give a program enough authority to break out of the
> AppArmor profile?

Not directly, no; however, because a process with this capability can
forge credentials over unix domain sockets it is possible that it could
entice another process on the system to perform operations on its behalf
that the receiving process wouldn't ordinarily allow.

And, of course, just granting the capability in our profile language isn't
sufficient -- we simply restrict the capabilities that the process may
use -- the process would need to receive the cap_setuid bit from some other
process in order to be able to use setuid(2), forge credentials, etc.

More dangerous to grant would be CAP_SYS_ADMIN, CAP_SYS_MODULE,
CAP_SYS_PTRACE, CAP_SYS_RAWIO. Of course you only have to grant
these capabilities to processes that require the functionality these
capabilities allow -- if you don't need the functionality, then you do
not need to grant the capabilities.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060407/0f10c354/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ