User: Password:
|
|
Subscribe / Log in / New account

2.6.8 and CD recording

2.6.8 and CD recording

Posted Aug 19, 2004 6:11 UTC (Thu) by pascal.martin (guest, #2995)
Parent article: 2.6.8 and CD recording

There is something I don't understand regarding the CAP_SYS_RAWIO capability: does this gives access to all devices? can it be enabled device by device (or device type by device type?--such as CDROM writers).

In the defense industry you are granted access only to the information you need to know. Anything else is not granted, no matter what your clearance level is.

Should not that be the case for capabilities?


(Log in to post comments)

2.6.8 and CD recording

Posted Aug 19, 2004 13:19 UTC (Thu) by fergal (guest, #602) [Link]

The thing is that "capability" in the Linux kernel (POSIX capabilities?) does not mean the same thing as "capability" in the general computer science/OS research.

So yes, real capabilities would do what you're talking about and I think there may be SELinux modules which implement this sort of thing but it is not yet standard.

CAP_SYS_RAWIO

Posted Aug 20, 2004 23:31 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

You have to be able to get a device file open in order to do raw I/O to it with CAP_SYS_RAWIO, but yes, the capability applies equally to all devices for which you can get a device file open. The read/write mode of the open is usually irrelevant.

In the traditional Unix security model, instead of having a vast matrix of principle/privilege combinations designed into the kernel, you're expected to build the kind of security you're talking about with setuid programs and daemons on top of the kernel. I like it that way. I used to even like the only-one-capability model (uid 0/not uid 0), but the realities of system bugs have brought me around to liking the slightly more fine-grained capabilities we have now.

In case it isn't obvious what kind of security I'm talking about: You don't give an interactive shell CAP_SYS_RAWIO, but rather give a program CAP_SYS_RAWIO and give principles permission to execute the program. The program should exploit the capability only to do very specific things, and might do some further permission checking, maybe based on which device you're accessing. Or, give a daemon process CAP_SYS_RAWIO and send it socket messages. The daemon authenticates you and does your bidding only against devices you are authorized to do raw I/O to.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds