LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

File-based capabilities

File-based capabilities

Posted Dec 1, 2006 0:42 UTC (Fri) by skissane (subscriber, #38675)
Parent article: File-based capabilities

I cannot wait enough for this to be rolled in.
This is a frequent issue for me -- if you've ever had to deal with system administrators that don't like making things suid root, you'll know what I mean...

(Log in to post comments)

File-based capabilities

Posted Dec 1, 2006 18:44 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I don't think capabilities will change that.

I used to use an operating system that had fine-grained capabilities and system administrators were usually not willing to let anyone other than those who qualified for _all_ of them have _any_ of them. I.e. it's a binary thing -- either you're in the trusted group or you're not.

You can sort of see their point: fine-grained capabilities multiply complexity, and complexity generates ways to make mistakes.

I use Linux capabilities extensively (using local modifications to Linux), but it's always for things that, if I didn't have capabilities, I would be willing to do with superuser.

File-based capabilities

Posted Jan 27, 2008 17:26 UTC (Sun) by AnswerGuy (guest, #1256) [Link] 

He said "things" not people.

With file based capabilities it's usually the case that you trust the intentions of the user,
and the programmer who wrote the code.  But you're trying to limit the damage that processes
running this code can do to the rest of the system (which giving them enough power to do their
job) --- in the all-too-likely case that the program can be subverted in some way (buffer
overflow, printf error, stack overflow in regex parsing, et cetera, ad infinitum, ad nauseum)

Personally I still thing the cleanest most understandable way of accomplishing this sort of
goal has been the systrace patches by Niels Provos.  They make perfect sense to anyone who has
ever had to deal with packet filtering and they are the only approach I've seen that would
allow a normal user to effectively limit behavior of software.  (One could imagine a user
creating systrace configurations to prevent his or her browser from accessing specific
document trees and other files, for example.  The implications of this are far more
significant than one realizes in an era when many of us are seriously considering locking our
browsers --- and perhaps our MTAs --- into their own virtual machines to protect the rest of
our home directories therefrom).

JimD

File-based capabilities

Posted Oct 14, 2007 20:42 UTC (Sun) by garloff (subscriber, #319) [Link]

AppArmor should do what you need, then.
You can assign capabilities to executables with it.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds