Re: Filesystem Capabilities in 2.6?

Theodore Ts'o (tytso@mit.edu)
Mon, 4 Nov 2002 09:39:27 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Henning P. Schmiedehausen: "Re: [lkcd-general] Re: What's left over."
Previous message: Richard B. Johnson: "Re: [STATUS 2.5] October 30, 2002"

On Sun, Nov 03, 2002 at 01:37:19AM -0500, Alexander Viro wrote:
> > In other words, it would actually make perfect sense to have
> >
> > -r-sr-sr-x 1 nobody mail 451280 Apr 8 2002 /usr/bin/sendmail
> >
> > mount --bind --capability=chown,bindlow /usr/bin/sendmail /usr/bin/sendmail
>
> *blam*
>
> Congratulations with potential crapload of security holes - now anyone
> who'd compromised a process running as nobody can chmod the damn thing
> and modify it.
>
> And that is the reason why suid-nonroot is bad. It creates a class of
> binaries that can easily give you a root compromise if one of them has
> an exploit - even if that one is never run by root.

This is solved by some implementations of POSIX capabilities by
zapping any capabilities if the executible is modified --- just as
some Unix systems zap the setuid bit if the executable is modified.
It addresses specifically the problem that you've raised.

- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Henning P. Schmiedehausen: "Re: [lkcd-general] Re: What's left over."
Previous message: Richard B. Johnson: "Re: [STATUS 2.5] October 30, 2002"