|
|
Log in / Subscribe / Register

Points of confusion

Points of confusion

Posted Oct 1, 2011 20:09 UTC (Sat) by oak (guest, #2786)
In reply to: Points of confusion by Ross
Parent article: LSS: The kernel hardening roundtable

> Well yes, capabilities exist, but they don't really work. The reason Cook gave is true, but misses the much larger failure: they only remove capabilities that are normally exclusive to root.

And even for root operations they seem to have too little granularity.

Ptrace capability is a good (worst?) example of this. You need it to read things like process maps & smaps files which many (resource usage measurement) tools need, but that capability allows also attaching, inspecting and changing other users process internals, not just inspect how many mappings they have and how much memory those mappings use. Also, instead of denying access to maps & smaps /proc files, lacking ptrace capability means that you get wrong (empty) content for those files...

to post comments

Points of confusion

Posted Oct 11, 2011 12:22 UTC (Tue) by trasz (guest, #45786) [Link]

In other words, ptrace capability is an instant root.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds