Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Sun, 3 Nov 2002 07:36:27 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Sun, 3 Nov 2002 07:36:27 -0500 Received: from pc1-cwma1-5-cust42.swa.cable.ntl.com ([80.5.120.42]:36236 "EHLO irongate.swansea.linux.org.uk") by vger.kernel.org with ESMTP id ; Sun, 3 Nov 2002 07:36:26 -0500 Subject: Re: Filesystem Capabilities in 2.6? From: Alan Cox To: Alexander Viro Cc: Linus Torvalds , Olaf Dietsche , "Theodore Ts'o" , Dax Kelson , Rusty Russell , Linux Kernel Mailing List , davej@suse.de In-Reply-To: References: Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 (1.0.8-10) Date: 03 Nov 2002 13:03:56 +0000 Message-Id: <1036328636.29646.30.camel@irongate.swansea.linux.org.uk> Mime-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1747 Lines: 41 On Sun, 2002-11-03 at 04:28, Alexander Viro wrote: > BTW, here's a fresh demonstration (found half an hour ago) that capabilities > do *not* permit more lax attitude when writing stuff with elevated priveleges: > * /usr/lib/games/nethack/recover is run at the boot time (as root) > to recover crashed games. > * Debian nethack 3.4.0-3.1 has it installed root.games and it > is group-writable - cretinism in debian/rules, upstream is not guilty > in that (BTW, so is /usr/lib/games/nethack/recover-helper). > * ergo, any exploitable hole in sgid-games binary (rogue, for > instance) is trivially elevated to root exploit. This is why you also want something stronger than just capability models. In a strong security system the following happens. User hacks nethack Users compromises recover (and in doing so reduces its integrity) Reboot Root tries to run recover Recover has insufficient integrity Error messages appear You would also have a "game playing" role which would mean a compromised game could only write to the game score and save files, and could only read the nominated game configuration files. The problem with this is its nontrivial to set up all the rules. Being able to use namespaces to revoke rights is a big help. If we were to add a capability for 'getting out of chroot' then we can also combine it with chroot to drop users into an unpriviledged universe from which they cannot escape because we took away the chroot stuff and we took away rawio and so on Alan - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/