POSIX Capabilities Vs. Set-UID
I've been mentioned the POSIX-capabilities in my post about EasyLFS 0.5 and promised another post to clarify what they actually are about. This is the promised post.
POSIX-capabilities are actually nothing new, but haven't been given much attention so far. This now has changed, they are now supported by the kernel and the necessary library and userland-tools have been updated to work with the new interface.
Capabilities can be assigned to programs so that these can use them in addition to what the user anyway can do, for example opening raw network sockets, which is required for ping.
Currently ping comes along with the SUID-bit set, which turn as user running ping into root, so to speak. If a tool that is SUID root has a security-problem it may be used to elevate the user to root-permissions.
As capabilities are capable to replace the SUID-bit by setting only the necessary capabilities this risk disappears. If a tool has a security-problem the user may end up with slightly more permissions than before, like opening raw sockets, to stay with our example, but he won't be effectively root.
That makes a big difference and I think that POSIX-capabilities are the way to go.
For EasyLFS 0.5 I will track down all programs installed with the SUID-bit and will try to replace this bit with the proper capabilities.
This will add another security-feature to EasyLFS, and together with SELinux it should provide a quite nice system.
SELinux of course will stay optional, but I think the migration from SUID to POSIX-capabilities may not be.
We will see...