Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for June 20, 2013
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Filesystem capabilities in Fedora 10
Posted Jan 8, 2009 8:46 UTC (Thu) by jamesh (guest, #1159)
In contrast, if the app only has the capabilities it needs you can only exploit those capabilities. So a bug in ping might only allow creation of raw sockets, but not bypass of file system permissions.
Posted Jan 8, 2009 13:05 UTC (Thu) by asamardzic (guest, #27161)
Posted Jan 8, 2009 14:27 UTC (Thu) by vonbrand (subscriber, #4458)
The problem is that malicious code that somehow subverted ping's executable can do exactly the same UID switching and do anything root can do.
Posted Jan 9, 2009 6:53 UTC (Fri) by yvesjmt (subscriber, #38201)
Using seteuid(2) won't help. If the code can switch back to the saved set-user-ID and it gets exploited, it's rooted. No security added here.
If ping needed to open the raw socket only once, it could drop privileges permanently. But as we know ping needs to open sockets continuously.
> Now, I'm pretty sure that things are not actually that simple in the
>ping source code, but still I fail to see what advantage this complicated
>capabilities mechanism could have over careful code examination, and
>applying proved techniques as this one I tried to describe above.
Even if you do "careful code examination" when writing programs, that's not a replacement for good a security design. You'd still need other layers to protect from subtle issues.
One of the mantras of writing secure software is giving the least privilege necessary. That's what capabilities is about - though I confess I had never heard about them.
 I'd recommend this wonderful short book that covers this topic really well http://oreilly.com/catalog/9780596002428/
Posted Jan 9, 2009 15:44 UTC (Fri) by jwarnica (subscriber, #27492)
Posted Jan 8, 2009 13:48 UTC (Thu) by elanthis (guest, #6227)
That is what capabilities are for. Give the program only what it needs and nothing else. You can take it a step further and split the program into frontend and backend pieces and give only the backend piece the capability necessary, too.
Posted Jan 8, 2009 14:34 UTC (Thu) by kilpatds (subscriber, #29339)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds