Stephen Smalley wrote:
On Tue, 2006-08-15 at 21:42 -0500, Serge E. Hallyn wrote:
<snip>
Very good point. Preventing communication channels i.e. through signals
isn't a concern, but user hallyn ptracing himself running /bin/passwd
certainly is.
Actually, ptrace already performs a capability comparison (cap_ptrace).
Wrt signals, it wasn't the communication channel that concerned me but
the ability to interfere with the operation of a process running in the
same uid but different capabilities, like stopping it at a critical
point. Likewise with many other task hooks - you wouldn't want to be
able to depress the priority of a process running with greater
capabilities.
On this point, what about environment tampering of processes with caps?
LD_PRELOAD=my_bad_lib.so /usr/bin/passwd. glibc atsecure logic would
have to be updated to do a capability comparison.
One other point to consider is Solaris seems to have diverged from their
own past approaches for privileges/capabilities,
http://blogs.sun.com/casper/20040722
http://www.opensolaris.org/os/community/security/library/howto/privbracket/
Doesn't sound like they are even using file capabilities at all.
Also, think about the real benefits of capabilities, at least as defined
in Linux. The coarse granularity and the lack of any per-object support
is a fairly significant deficiency there that is much better handled via
TE. At least some of the Linux capabilities lend themselves to easy
privilege escalation to gaining other capabilities or effectively
bypassing them
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]