From: Linas Vepstas (linas_at_linas.org)
Date: Wed 12 Nov 2003 - 00:02:08 GMT
On Tue, Nov 11, 2003 at 02:46:52PM -0800, Andrew Morgan was heard to remark:
>
> This is the most recent incarnation of the full capability support.
>
> http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4-fcap/
>
> The big picture thing is that we put capabilities into the 'official'
> kernel before having filesystem support for them. What resulted was a
> free-for-all of 'cool' hacks that really messed up the underlying
> security model.
>
> In the filesystem based model, you grant 'available' capabilities based
> on how the inode of the program interacts with the 'exec'ing process. In
> the implemented hacked-kernel code, you give a privileged process
> everything so you can be legacy compatible with setuid-0 programs.
>
> The problems you discuss above result. There are some more hacks based
> on bounding sets and the default inheritable set that you can get init
> to initiate before it starts fork()ing children, but they are hacks, and
> as such are likely to have problems of their own: not least that
> programs are designed to assume that 'if I am root, setuid() will always
> work so I won't bother checking all the [fr]uid values do what I
> expect', and witness an exploit for things like sendmail of two years ago.
>
> The code discussed here:
>
> http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4-fcap/README
>
> got the whole thing basically right - even legacy support. Modulo bugs
> (obviously) and further development that never happened (obviously).
OK,
I see that the latest patch is mostly about associating capability bits with
file-system attrs. Its against kernel 2.4.3 and appears not to be
in marcello-2.4.22. What happened? Linus not like it? Never formally
submitted to him (because the patch was too green)? Somebody told you
to use the LSM framework, and never got around to it? selinux and/or rsbac
provide a better security model ?
--linas
-- pub 1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas_at_linas.org> PGP Key fingerprint = 8305 2521 6000 0B5E 8984 3F54 64A9 9A82 0104 5933 _______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver