lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Sep 2006 19:18:05 -0400 From: Theodore Tso <tytso@....edu> To: David Madore <david.madore@....fr> Cc: Linux Kernel mailing-list <linux-kernel@...r.kernel.org> Subject: Re: patch to make Linux capabilities into something useful (v 0.3.1) On Wed, Sep 06, 2006 at 03:26:23PM +0200, David Madore wrote: > I emphasize that the filesystem support patch described above, alone, > will *not* solve the inheritability problem (as my patch does), since > unmarked executables continue to inherit no caps at all. With my > patch, they behave as though they had a full inheritable set, > something which is required if we want to make something useful of > capabilities on non-caps-aware programs. This is what scares me about your proposal. I consider it a *feature* that unmarked executables inherit no capabilities, since many programs were written without consideration about whether or not they might be safe to run without privileges. So the default of not allowing an executable to inherit capabilities is in line of the the classic security principle of "least privileges". I agree it may be less convenient for a system administrator who is used root, cd'ing to a colleagues source tree, su'ing to root, and who then types "make" to compile a program, expecting it to work since root privileges imply the ability to override filesystem discretionary access control --- and then to be rudely surprised when this doesn't work in a capabilities-enabled system. However, I would claim this is the correct behaviour! Would you really want some random operator running random Makefiles for some random program downloaded from the Internet? As root? So as far as I am concerned, forcing make, cc, et. al. to not inherit capabilities is a Good Thing. Now, perhaps some system owners have a different idea of how they want to run, and believe want to trade off more convenience for less security. That's fine, but please don't disable the high security mode for the rest of us. What I would suggest is that perhaps the filesystem capabilities patch can be extended to either to allow the filesystem superblock define (a) what the default inheritance capability mask should be when creating a new file, and (b) what the default inheritance capability for that filesystem should be in the absence of an explicit capability record. Both of these should be overrideable by a mount option, but for convenience's sake it would be convenient to be able to set these values in the superblock. As far as negative capabilities, I feel rather strongly these should not be separated into separate capability masks. They can use the same framework, sure, but I think the system will be much safer if they use a different set of masks. Otherwise, there can be a whole class of mistakes caused by people and applications getting confused over which bit positions indicate privileges, and which indicate negative privileges. If you use a separate mask, this avoids this problem. The other reason why it may not be such a hot idea to mess with the inheritance formulas is compatibility with other Unix systems that have implemented capabilities following the last Posix draft. In particular, Sun has recently included the Trusted Solaris into the base Solaris offering and into Open Solaris, and has been plugging them pretty heavily. It would be unfortunate if Solaris and Linux had gratuitously different semantics for how the capabilities API's work. It could easily cause security problems in both directions --- when trying to port a program written for Linux to Solaris, and vice versa. The solution is to _extend_ the capabilities system: for example, by adding default inheritance masks to cater for system administrators who value convenience more than security, and to add new bitmasks for negative privileges/capabilities. Regards, - Ted - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists