capabilities

To: debian-security <debian-security@lists.debian.org>
Subject: capabilities
From: Adam ENDRODI <borso@vekoll.saturnus.vein.hu>
Date: Thu, 24 Jul 2003 15:16:43 +0200
Message-id: <[🔎] 20030724131643.GA5012@vekoll.saturnus.vein.hu>

Hello all,


I'm toying with POSIX(-like) capabilities.  I've dug up the
libcap* packages, played with their source and done some
research.  Below I list three problems I need to resolve and the
conclusions I've come to.

  -- Problem 1: I want to execute as root a program with reduced
     capability set.

     It seems to be impossible, for the kernel's behavour of
     forcing the effective and permitted sets to be full if
     the binary to be executed has euid == ruid == 0.

     (The `execcap' program included in libcap2-bin states
     incorrectly that it can do that, but it turned out to be
     only setting the cap_i set which renders it completely
     useless).

  -- Problem 2: I'd like to execute as root a program as non-root
     with reduced capability set.

     It's even harder than the previous item, because set*uid()
     resets capability sets unless a linux specific prctl()
     is issued prior to calling set*uid().  Other than this,
     the same comments apply.

  -- Problem 3: I'd like to grant or revoke capabilities to/from
     a running process.

     This seems to be the easiest, except that the kernel in the
     default configuration doesn't permit this (cap_bound doesn't
     contain CAP_SETPCAP which is requirement of a succesful
     capset() where the target is not the current process.

     The simplies workaround would be to set CAP_SETPCAT in
     cap_bound (requires to recompile the kernel, for cap_bset
     cannot be extended by anyone except pid == 1 (init)).
     However, I don't see clearly the implications this
     modification would cause, and I don't really want to risk
     it.

     In addition, libcap2 (the two-year old CVS version found
     both in Debian stable and unstable) doesn't provide
     capsetp(), thus implementing such a functionality would be
     difficulult and non-portable wrt different kernel versions.
     In any case, this workaround wouldn't be portable, since
     the POSIX draft didn't described capsetp().

It seems either I missed something or not many care about POSIX
capabilities despite the fuss around them.

Any comments and suggestions are welcome.  Please do not direct
me to other project like grsecurity.  I'm familiar with it
and don't want to use it for reasons I won't explain here.

bit,
adam

-- 
1024D/37B8D989 954B 998A E5F5 BA2A 3622  82DD 54C2 843D 37B8 D989      
finger://borso@vekoll.vein.hu | Some days, my soul's confined
http://www.keyserver.net | And out of mind
Sleep forever

Reply to:

Follow-Ups:
- Re: capabilities
  - From: Olaf Dietsche <olaf+list.debian-security@olafdietsche.de>

Prev by Date: activating an unconfigured interface using /etc/network/interfaces...?
Next by Date: Re: capabilities
Previous by thread: Re: activating an unconfigured interface using /etc/network/interfaces...?
Next by thread: Re: capabilities
Index(es):
- Date
- Thread