lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 27 Jul 2006 16:19:59 +0200
From:	Frank v Waveren <fvw@....cx>
To:	"Serge E. Hallyn" <serue@...ibm.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: linux capabilities oddity

On Tue, Jul 25, 2006 at 01:47:19PM -0500, Serge E. Hallyn wrote:
> Quoting Frank v Waveren (fvw@....cx):
> > While debugging an odd problem where /proc/sys/kernel/cap-bound wasn't
> > working, I came across the following code at
> > linux-2.6.x/security/commoncap.c:140:
> > 
> >    void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
> >    {
> >            /* Derived from fs/exec.c:compute_creds. */
> >            kernel_cap_t new_permitted, working;
> > 
> >            new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
> >            working = cap_intersect (bprm->cap_inheritable,
> >                                     current->cap_inheritable);
> >            new_permitted = cap_combine (new_permitted, working);
> >            ...
> > 
> > Here the new permitted set gets limited to the bits in cap_bset, which
> > is as it should be, but then the intersection of the of the current
> > and exec inheritable masks get added to that set, whereas as I
> > understand it, cap_bset should always be the bounding set.
> [...]
> 
> Actually going by the faq
> (http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt)
> it seems like the cap_intersect with current->cap_inheritable is *too*
> limiting.  I haven't checked what the posix draft actually says, but the
> bprm->cap_inheritable is called the 'forced' set, and is supposed to be
> like setuid.

I don't think the force set should be able to override the cap bound
though. Like the force/setuid analogy, I think we can compare the
cap_bset to the old securelevel system, which means that it should be
the bounding factor. Even if you have setuids on a system with a
raised securelevel, they still can't do the restricted operations.

Once again, this is not based on what the POSIX 1003.1e says, as a
matter of fact I can't find anything about lowering the systemwide
bound externally (as opposed to by not having forced-set executables
and dropping the caps from all processes) at all in a quick grep of
the document, so I suspect this is entirely outside of the spec anyway.

-- 
Frank v Waveren                                  Key fingerprint: BDD7 D61E
fvw@....cx                                              5D39 CF05 4BFC F57A
Public key: hkp://wwwkeys.pgp.net/468D62C8              FA00 7D51 468D 62C8

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ