A bid to resurrect Linux capabilities
Posted Sep 22, 2006 8:24 UTC (Fri) by slamb
Parent article: A bid to resurrect Linux capabilities
This patch uses some of those new bits from the outset for a set of "regular
capabilities" which all processes are normally expected to have. These capabilities include the
ability to use fork() or exec(), the ability to open files and to write to files, the ability to use ptrace
(), and the ability to increase privilege by running a setuid program.
Woo! I'm glad to see someone do this. I've long thought this was the best
way to take advantage of capabilities. I even wrote a crappy patch to OpenBSD long ago, which
fortunately for the world never made it beyond my system.
Many of the regular capabilities can easily be used to gain full root access. (Though I
thought that about pcap, and omnipresent ssh
has proven me wrong.) But locking down ptrace() might be a good way to prevent an
exploited connection from messing with another one in forked servers. I think the only other way
would be to bind as root, then setuid() to one of a pool of uids or something...I hope no
to post comments)