LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Dropping root's ability to write all files

Dropping root's ability to write all files

Posted May 1, 2008 16:16 UTC (Thu) by bkw1a (subscriber, #4101)
Parent article: Restricting root with per-process securebits 

I'd love to be able to create a process that had root's ability to READ all files, but lacked
root's ability to WRITE all files.  This would eliminate the need to run remote backup jobs as
root, which has always worried me.

(Log in to post comments)

Dropping root's ability to write all files

Posted May 1, 2008 17:41 UTC (Thu) by Lennie (subscriber, #49641) [Link] 

I'm not sure if there is an other way already, but having a process just bind a port below
1024 without being root while doing so would be really nice as well.

Dropping root's ability to write all files

Posted May 2, 2008 3:44 UTC (Fri) by bronson (subscriber, #4806) [Link] 

Can't SELinux do both of these now?

SELinux is one of those things that I keep meaning to set up and learn...  Just never enough
round tuits.

Limiting privilege to binding reserved port

Posted May 2, 2008 15:22 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

having a process just bind a port below 1024 without being root while doing so would be really nice as well.

That's been there since the earliest days of capabilities. It is the NET_BIND_SERVICE capability. Whenever I have a program that wants superuser privilege just so it can bind a reserved port, I invoke it from a program "capexec", which sets NET_BIND_SERVICE capability only, sets the proper uid and gid, and execs the untrusted program. (The process is superuser when it invokes capexec).

Sometimes I have to modify the untrusted program because it contains a bogus check for uid zero.

But an even better way to deal with this is not to give any privilege to the untrusted program at all -- just pass it a file descriptor for a socket already bound to the reserved port. For that, I use "socketexec" before "capexec". Socketexec creates the socket and execs capexec. Capexec drops all privileges and execs the untrusted program. I usually have to modify the program to be able to take an already bound socket. Some programs have to bind multiple times in their life and this won't work.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds