LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

reminder: "POSIX capabilities" are different from "capabilities"

reminder: "POSIX capabilities" are different from "capabilities"

Posted May 13, 2004 12:03 UTC (Thu) by zooko (subscriber, #2589)
In reply to: reminder: "POSIX capabilities" are different from "capabilities" by zooko
Parent article: Magic groups in 2.6

I just wanted to remind people that the world "capabilities" originally meant something else, and the people who named POSIX capabilities have caused unfortunate confusion. To see the differences between POSIX capabilities and traditional capabilities, please see Figure 15 in this page:

Capability Myths Demolished

Some proponents of traditional capabilities have recently started calling traditional capabilities "object capabilities" in order to reduce the confusion, even though "object capabilities" are identical to the original concept of capabilities published by Dennis and Van Horn in 1965.

Perhaps it would be good to refer to POSIX capabilities as "POSIX capabilities" instead of "capabilities" in order to help reduce confusion.

Regards,

Zooko

(Log in to post comments)

reminder: "POSIX capabilities" are different from "capabilities"

Posted May 13, 2004 16:03 UTC (Thu) by rjw (guest, #10415) [Link]

Also, its important to note that the closest things we have to
capabilies on a kernel level are file descriptors - and we should be making use of these rather than totally subverting the unix security model ( SELinux, POSIX ACLS/CAPS, etc).

We should also be careful to separate the concept of a physical user from a unix uid. Users should have the ability to create subservient users and groups - that are bounded by the permission set that their 'principal' user has.

Every program that is run should really be run under a temporary UID with a minimal per-process namespace as well - ie only knowledge of the files it needs. This includes running dodgy email attachments - if we remove the ambient authority to open random network ports and trash a users files, to fork or malloc the system to death and to do all kinds of other damage, we could run even random binaries and shell scripts emailed to us without fear.

This all would all require quite a lot of work, but it wouldn't mean having two or more utterly arbitrary security models tacked on to the unix one. SELinux really makes me sick.

reminder: "POSIX capabilities" are different from "capabilities"

Posted May 13, 2004 23:44 UTC (Thu) by pimlott (guest, #1535) [Link]

We should also be careful to separate the concept of a physical user from a unix uid. Users should have the ability to create subservient users and groups - that are bounded by the permission set that their 'principal' user has.

Oh man, I wish someone had done this. Now that we have SELinux et al, it's not likely to happen.

SELinux really makes me sick.

*rech*

reminder: "POSIX capabilities" are different from "capabilities"

Posted May 14, 2004 17:51 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I could use more than a reminder, because I never knew the difference. The referenced figure and surrounding paper also assume I already know the difference but just don't appreciate its significance, so they didn't help me.

It's not worth an hour of reading to me, but can someone briefly describe the difference?

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds