Skip to main content
Welcome guest. | Register | Login | Post

POSIX Capabilities Vs. Set-UID

I've been mentioned the POSIX-capabilities in my post about EasyLFS 0.5 and promised another post to clarify what they actually are about. This is the promised post.

POSIX-capabilities are actually nothing new, but haven't been given much attention so far. This now has changed, they are now supported by the kernel and the necessary library and userland-tools have been updated to work with the new interface.

Capabilities can be assigned to programs so that these can use them in addition to what the user anyway can do, for example opening raw network sockets, which is required for ping.
Currently ping comes along with the SUID-bit set, which turn as user running ping into root, so to speak. If a tool that is SUID root has a security-problem it may be used to elevate the user to root-permissions.

As capabilities are capable to replace the SUID-bit by setting only the necessary capabilities this risk disappears. If a tool has a security-problem the user may end up with slightly more permissions than before, like opening raw sockets, to stay with our example, but he won't be effectively root.
That makes a big difference and I think that POSIX-capabilities are the way to go.

For EasyLFS 0.5 I will track down all programs installed with the SUID-bit and will try to replace this bit with the proper capabilities.
This will add another security-feature to EasyLFS, and together with SELinux it should provide a quite nice system.
SELinux of course will stay optional, but I think the migration from SUID to POSIX-capabilities may not be.
We will see...

Comments

This is slightly out of my

This is slightly out of my league, but it sounds interesting. Streamlining permissions to only as much as is necessary rather than providing full permissions, if I understand correctly.

Anyway, I think your blog needs an audience more advanced than me. Laughing out loud Do you, btw, have any estimates about how many users may be using EasyLFS?

libervisco wrote: This is

 
libervisco wrote:

This is slightly out of my league, but it sounds interesting. Streamlining permissions to only as much as is necessary rather than providing full permissions, if I understand correctly.

Yes, that's pretty much it. Instead of turning the program (and thus the user) into root for the time the program runs it just gives the permissions that are necessary to fulfill the task of the program. As said, ping needs to open raw network sockets, but not control over the whole system.
Giving the least necessary permissions is no new angle on security, it actually is a basic principle. SUID pretty much breaks with this principle as it elevates the program to root-permissions, most of the time this is totally unnecessary.

libervisco wrote:

Anyway, I think your blog needs an audience more advanced than me. Laughing out loud

Well, I think some of my topics may be a bit technical, but I think still these are things that may be of general interest. And through Planet Libervis I guess I may even get a bit of recognition from across the borders of this site, which I think is a good thing. :-)

libervisco wrote:

Do you, btw, have any estimates about how many users may be using EasyLFS?

Only very very rough guesses, no hard numbers at all.
My download-stats on the project-site say this:

  • EasyLFS: 612
  • EasyLFS64: 172
  • Manual: 1075

But how many of those downloads actually have been finished I cannot tell.
In addition to this the files have been shared through Bit-Torrent, initially I shared them through LinuxTracker, but by now Google also finds them on other trackers.
The download also seems to be possible through Softpedia, which I have nothing to do with, and also a friend of mine has offered webspace for mirroring.

And one link, which does not offer download, I personally find quite interesting: Compatibility.
This guy seems to have installed EasyLFS and tested his own program(s) with it. That is really cool.

reptiler wrote: Yes,

reptiler wrote:

Yes, that's pretty much it. Instead of turning the program (and thus the user) into root for the time the program runs it just gives the permissions that are necessary to fulfill the task of the program.

Pretty cool, though might take a while for this method to be more widely adopted. The end user probably wouldn't notice much of a difference in the way they do administration tasks. Gksudo or sudo or su would ask for the password just as they do now, only the permissions wouldn't extend farther than necessary. Nice. Smiling

reptiler wrote:

Well, I think some of my topics may be a bit technical, but I think still these are things that may be of general interest. And through Planet Libervis I guess I may even get a bit of recognition from across the borders of this site, which I think is a good thing. :-)

Agreed. You never know who might be reading and it gets picked up by search engines which is good for longer term exposure.

It's great to hear EasyLFS has been going around. It probably has a number of users, but just need to voice themselves. Smiling

Cheers

Well, su and sudo will