Nuxified

FOSS technologies explained

  • Useful Articles
  • Blogs
  • Images
  • Tips
  • Archives

July 1, 2008

POSIX Capabilities Vs. Set-UID

I’ve been mentioned the POSIX-capabilities in my post about EasyLFS 0.5 and promised another post to clarify what they actually are about. This is the promised post.

POSIX-capabilities are actually nothing new, but haven’t been given much attention so far. This now has changed, they are now supported by the kernel and the necessary library and userland-tools have been updated to work with the new interface.

Capabilities can be assigned to programs so that these can use them in addition to what the user anyway can do, for example opening raw network sockets, which is required for ping.
Currently ping comes along with the SUID-bit set, which turn as user running ping into root, so to speak. If a tool that is SUID root has a security-problem it may be used to elevate the user to root-permissions.

As capabilities are capable to replace the SUID-bit by setting only the necessary capabilities this risk disappears. If a tool has a security-problem the user may end up with slightly more permissions than before, like opening raw sockets, to stay with our example, but he won’t be effectively root.
That makes a big difference and I think that POSIX-capabilities are the way to go.

For EasyLFS 0.5 I will track down all programs installed with the SUID-bit and will try to replace this bit with the proper capabilities.
This will add another security-feature to EasyLFS, and together with SELinux it should provide a quite nice system.
SELinux of course will stay optional, but I think the migration from SUID to POSIX-capabilities may not be.
We will see…

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related

Article by reptiler / Community Blogs

Learn Unix

I run Unix Tutorial website and help anyone interested to pick up Unix skills. If you have questions or just want to share your ideas – please join the Unix Tutorial on Facebook.

Tech Stack Solutions

Tech Stack Solutions is my company that provides Unix support. Sign up or simply get in touch to find out how I can help!

Search this Website

You May Also Like

Recent Posts

  • Advice on using SUDO
  • FFmpeg 4.0
  • KDE Plasma 5.9.0 Release
  • How to Install Ubuntu Linux without a DVD or USB
  • How to Securely Save All Your Passwords with Keepass
  • 9 Signs You Should Use Linux on Your Computer
  • The Easiest Way to Optimize Your MySQL Database Performance
  • Setting up a Linux Web Development Environment in Windows
  • Hunting Down Disk Space Hogs on Linux Command Line
  • 6 Simple Android Apps for Monitoring and Managing Your Linux Server

Archives

Categories

  • Community Blogs
  • Images and Screenshots
  • News
  • Technical Topics
  • Useful Articles

Basic Unix Commands

Basic Unix Commands
  • ls command
  • mkdir command
  • man command in unix
  • cd command - change directory
  • uname command

Advanced Unix Commands

Advanced Unix Commands
  • ln command - symlinks
  • tune2fs unix command - filesystem parameters
  • du command - disk usage
  • lsb_release command
  • find unix command

Unix Reference

Unix Reference
  • SSH port forwarding
  • unix commands
  • visudo tutorial
  • mtime unix
  • lrwxrwxrwx
  • Unix Tutorial digest

Unix Books

Unix Tutorials

Unix How-Tos
  • check raspbian version
  • autostart in KVM
  • List files in Ubuntu package
  • check CentOS version
  • create bootable USB in MacOS
  • Useful Articles
  • Blogs
  • Images
  • Tips
  • Archives

Copyright © 2023 · Education Pro Theme on Genesis Framework · WordPress · Log in