User: Password:
Subscribe / Log in / New account

Filesystem capabilities in Fedora 10

Filesystem capabilities in Fedora 10

Posted Jan 9, 2009 6:53 UTC (Fri) by yvesjmt (guest, #38201)
In reply to: Filesystem capabilities in Fedora 10 by asamardzic
Parent article: Filesystem capabilities in Fedora 10

I believe you're referring to seteuid(2) instead. The syscall you mentioned, setuid(2), makes a permanent change, because it sets the real and effective user IDs, and the saved set-user-ID.

Using seteuid(2) won't help. If the code can switch back to the saved set-user-ID and it gets exploited, it's rooted. No security added here.

If ping needed to open the raw socket only once, it could drop privileges permanently. But as we know ping needs to open sockets continuously.

> Now, I'm pretty sure that things are not actually that simple in the
>ping source code, but still I fail to see what advantage this complicated
>capabilities mechanism could have over careful code examination, and
>applying proved techniques as this one I tried to describe above.

Even if you do "careful code examination" when writing programs, that's not a replacement for good a security design. You'd still need other layers to protect from subtle issues[1].

One of the mantras of writing secure software is giving the least privilege necessary. That's what capabilities is about - though I confess I had never heard about them.

[1] I'd recommend this wonderful short book that covers this topic really well

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds