CAP_SYS_ADMIN: the new root

Posted Mar 15, 2012 16:11 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
Parent article: CAP_SYS_ADMIN: the new root

I absolutely loathe the capabilities. Their current implementation is braindead and their pushers should be put up against the wall and shot.

First, in the good old times I could just look at an executable and see if it's a setuid executable. Which means "it may be dangerous, beware".

Right now we have tons of capabilities with quite a lot of them equivalent to root access, which are hidden away in extended attributes. And people somehow think it's a GOOD thing.

Then there's a question of braindead el-dumbo capability inheritance. I have not been able after literally hours of trying to grant my Java program access to restricted ports. Should be easy, right? There definitely should be a program which you can run as root, and which will drop excessive capabilities and set uid to another user. Right? Well, think again.

CAP_SYS_ADMIN: the new root

Posted Mar 19, 2012 20:34 UTC (Mon) by BenHutchings (subscriber, #37955) [Link] (2 responses)

systemd apparently is that program.

CAP_SYS_ADMIN: the new root

Posted Mar 20, 2012 2:07 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Systemd is indeed quite nice. Alas, it's not supported in Debian Stable. And it'll probably won't be integrated properly in Wheeze as well. So the earliest date I can use it is around 2016. Oh well...

BTW, I see that Wheeze now supports AppArmor ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598408 ).

Some time ago ( http://lwn.net/Articles/459460/ ) I promised to send you a case of beer or a yearly subscription to LWN in that case. So what do you choose? :)

CAP_SYS_ADMIN: the new root

Posted Mar 20, 2012 2:33 UTC (Tue) by foom (subscriber, #14868) [Link]

It looks most likely that it'll be a supported alternative init system in Wheezy, although not the default. Which is already pretty sweet, although being default would of course be better.