User: Password:
|
|
Subscribe / Log in / New account

Filesystem capabilities in Fedora 10

Filesystem capabilities in Fedora 10

Posted Jan 8, 2009 13:05 UTC (Thu) by asamardzic (guest, #27161)
In reply to: Filesystem capabilities in Fedora 10 by jamesh
Parent article: Filesystem capabilities in Fedora 10

The code in a SUID application could at will switch, through setuid(2), between real and saved set-user-ID. So in this particular case, it should be possible to switch back to real user ID immediately upon program started and go this way until socket(2) call needed to open the raw socket. Just before this call, setuid() should be called to switch to saved set-user-ID (which means to switch to superuser privileges), and immediately after socket() returned the descriptor, setuid() should be employed again to switch back to real user ID (which means to return to executing as ordinary user). And that's the whole magic. Now, I'm pretty sure that things are not actually that simple in the ping source code, but still I fail to see what advantage this complicated capabilities mechanism could have over careful code examination, and applying proved techniques as this one I tried to describe above.


(Log in to post comments)

Filesystem capabilities in Fedora 10

Posted Jan 8, 2009 14:27 UTC (Thu) by vonbrand (guest, #4458) [Link]

The problem is that malicious code that somehow subverted ping's executable can do exactly the same UID switching and do anything root can do.

Filesystem capabilities in Fedora 10

Posted Jan 9, 2009 6:53 UTC (Fri) by yvesjmt (guest, #38201) [Link]

I believe you're referring to seteuid(2) instead. The syscall you mentioned, setuid(2), makes a permanent change, because it sets the real and effective user IDs, and the saved set-user-ID.

Using seteuid(2) won't help. If the code can switch back to the saved set-user-ID and it gets exploited, it's rooted. No security added here.

If ping needed to open the raw socket only once, it could drop privileges permanently. But as we know ping needs to open sockets continuously.

> Now, I'm pretty sure that things are not actually that simple in the
>ping source code, but still I fail to see what advantage this complicated
>capabilities mechanism could have over careful code examination, and
>applying proved techniques as this one I tried to describe above.

Even if you do "careful code examination" when writing programs, that's not a replacement for good a security design. You'd still need other layers to protect from subtle issues[1].

One of the mantras of writing secure software is giving the least privilege necessary. That's what capabilities is about - though I confess I had never heard about them.

[1] I'd recommend this wonderful short book that covers this topic really well http://oreilly.com/catalog/9780596002428/

Filesystem capabilities in Fedora 10

Posted Jan 9, 2009 15:44 UTC (Fri) by jwarnica (guest, #27492) [Link]

If everything works well... then everything works well. You might as well not have the concept of user accounts, just have everything run at the same level. Just audit all your source code with proven techniques, and all is good. If everything works well.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds