| |||||||||||||
Spengler: False Boundaries and Arbitrary Code ExecutionSpengler: False Boundaries and Arbitrary Code ExecutionPosted Jan 5, 2011 17:38 UTC (Wed) by martinfick (subscriber, #4455)In reply to: Spengler: False Boundaries and Arbitrary Code Execution by jchaxby Parent article: Spengler: False Boundaries and Arbitrary Code Execution
> This potential privilege escalation isn't there so much as to prevent programs from getting real-uid == 0 as to prevent them doing something unintended, somewhat akin to accidentally rebooting the machine.
While this may be true in some cases, it is not in others. For example, in the case of linux vservers, capabilities are used to restrict the capabilities of the entire vserver. They are used as a mechanism to isolate vservers from the host. There is a mechanism for a host sysadmin to grant limited capabilities to a vserver when it needs to perform certain privileged operations. Therefor, it should be of concern if granting certain capabilities to a vserver means that users in that vserver can effectively gain more capabilities than the host sysadmin intended them to receive.
(Log in to post comments)
Spengler: False Boundaries and Arbitrary Code Execution Posted Jan 5, 2011 18:03 UTC (Wed) by SEJeff (subscriber, #51588) [Link]
It seems like Information Assurance in the form of MAC (hello SELinux) is a cleaner option than capabilities where possible. I know that Fedora / RHEL taught libvirtd about SELinux and called it sVirt[1]. This seems like the best possible way forward over simple capabilities.
|
|||||||||||||