About this list Date view Thread view Subject view Author view Attachment view

From: Chris Wright (chrisw_at_osdl.org)
Date: Tue 11 Nov 2003 - 23:58:59 GMT

* Linas Vepstas (linas_at_linas.org) wrote:
> Why is the libcap mailing list so quiet? Why does google not find
> anything interesting for Linux capabilities? Is this because there
> is some deep-rooted, fundamental design-flaw or problem with
> capabilities and/or with thier Linux implementation? Have the basic
> libcap tools been obsoleted by selinux, rsbac or some other security
> system? Or is it simply that "capability" is such a generic term that
> newcomers don't bother to even invsetigate this technology?
> I'm trying to understand why Linux capabilites is such a 'sleepy' topic.

Linux capabilities is a reasonbly seasoned project, that's reached a
similarly reasonable maturity state. There's not a lot of new
development in the area, as what is done is largely a completion of the
relevant bits of the withdrawn Posix.1e draft. Notably absent are the
filesystem capabilities bits, see lkml for the many reasons that this is
not popular.

Presently (2.6 kernels) have the capabilities bits pushed into a Linux
Security Module which should preserve the pre-exitsing functionality.
The use of capabilities often falls back to something similar to root
privs, but some programs actually choose to use the capget/set interface
to drop the privs. In either case the functionality is still there.
Capabilities is not obsoleted by various MAC policies like SELinux, in
fact, SELinux, for example, can work with capabilities.

> Then a specific question:
> I started looking at capabilites so that I could remove some capabilities
> from a process after its been started. For example: named/bind9: let
> it start, let it chroot itself into place, then remove choot privledges
> from it. I discovered that I can't do that because I don't seem to have
> setpcap permissions ... appearently because its dangerous to have this.
> So the questions are:
> -- Did I misunderstand something in explaining the above?
> -- Is it 'fundamentally dangerous' to be able to take away caps from
> other processes? It seems 'safe' to me, or at least no more dangerous
> than having a root user who can kill -9 assorted processes ...

SETPCAP means you can not only lower but raise privs of process other
than yourself. It's a dangerious capability to give out.


Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
Vserver mailing list

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 11 Nov 2003 - 23:59:46 GMT by hypermail 2.1.3