Spengler: False Boundaries and Arbitrary Code Execution
Posted Jan 5, 2011 17:17 UTC (Wed) by farnz
In reply to: Spengler: False Boundaries and Arbitrary Code Execution
Parent article: Spengler: False Boundaries and Arbitrary Code Execution
It depends; even the 20 capabilities that Spender points out are still an improvement on suid root binaries. As cesarb correctly points out, while a daemon running with one of those 20 capabilities is still potentially as dangerous as a suid root binary, there are cases where a bug would allow a daemon running as root unlimited ability to do harm, yet merely permit the capabilities variant to DoS the daemon in question.
As with so much in security, capabilities are not a silver bullet; 15 of them genuinely appear to limit an attacker's options, while the 20 capabilities that can be converted to root are still marginally better than suid root, as they convert a limited set of bugs from exploit to DoS. This doesn't mean that there's no room for improvement, merely that we've taken one more step towards real security.
Remember, too, that in the wider world, security is not a boolean. Even though capabilities as implemented in Linux today are incomplete, they're still a little bit better than suid root (aka full access by default) - after all, if capabilities mean that 1% of the bugs that previously got an attacker root are no longer exploitable, that's a small number of bugs converted from security-critical, will be exploited if not fixed, to fix ASAP, just in case the analysis is incomplete. Further, thinking about caps results in people beginning to think about better routes than all-or-nothing root. It's possible that a side effect of Spender's analysis and distros moving towards caps will be better caps that don't suffer the same problem.
to post comments)