Dropping root's ability to write all files

Posted May 2, 2008 3:44 UTC (Fri) by bronson (subscriber, #4806) [Link]

Can't SELinux do both of these now?

SELinux is one of those things that I keep meaning to set up and learn...  Just never enough
round tuits.

Posted May 2, 2008 15:22 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

having a process just bind a port below 1024 without being root while doing so would be really nice as well.

That's been there since the earliest days of capabilities. It is the NET_BIND_SERVICE capability. Whenever I have a program that wants superuser privilege just so it can bind a reserved port, I invoke it from a program "capexec", which sets NET_BIND_SERVICE capability only, sets the proper uid and gid, and execs the untrusted program. (The process is superuser when it invokes capexec).

Sometimes I have to modify the untrusted program because it contains a bogus check for uid zero.

But an even better way to deal with this is not to give any privilege to the untrusted program at all -- just pass it a file descriptor for a socket already bound to the reserved port. For that, I use "socketexec" before "capexec". Socketexec creates the socket and execs capexec. Capexec drops all privileges and execs the untrusted program. I usually have to modify the program to be able to take an already bound socket. Some programs have to bind multiple times in their life and this won't work.