lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 9 Jan 2024 19:45:27 +0800 (GMT+08:00)
From: 孟敬姿 <mengjingzi@....ac.cn>
To: "Theodore Ts'o" <tytso@....edu>
Cc: "Greg KH" <gregkh@...uxfoundation.org>, brauner@...nel.org, 
	linux-kernel@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: proposal to refine capability checks when _rlimit_overlimit()
 is true

I understand change the code here may affect the world outside the
kernel. And there might be useability issues when applications in 
userspace are not updated. But the good news is that the 
modification's impact on userspace is relatively contained. 
Here's a breakdown: 

1. Usage statistics for the latest version of Ubuntu show that 
   applications have limited use of capability. 
        (1) Under the default configuration, only 28 processes in 
            Ubuntu 22.04 LTS were found to have capability, with 15 
            running as root and unaffected by the proposed change. 
        (2) Among the 59k packages on Ubuntu 21.10, only 29 programs 
            were configured with capability.[1]

2. For programs that use capability, it is not complicated for developers
   or sysadmin to reconfigure it. Programs using capability can be 
   categorized into two types: 
        (1) those started by root have full capability by default, which 
            can be changed with the prctl system call.
        (2) and those with capabilities configured directly on the 
            executable file can be modified by secap command directly.

So the key to using capability is to choose the least privilege that 
will accomplish the function. This can't be done without the kernel's 
clear delineation of privileges.

This change will make it clear that if you only need to cross system 
limits, then sys_resource is the capability you need. This may cause 
some processes that are using sys_admin to bypass limits to fail, but 
from a least privilege point of view, it may be good to reduce the 
unnecessary use of sys_admin.

Best regards,
Jingzi

[1] Hasan, Md Mehedi, Seyedhamed Ghavamnia, and Michalis Polychronakis. 
    "Decap: Deprivileging programs by reducing their capabilities." 
    Proceedings of the 25th International Symposium on Research in Attacks,
    Intrusions and Defenses. 2022.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ