capabilities
Hello all,
I'm toying with POSIX(-like) capabilities. I've dug up the
libcap* packages, played with their source and done some
research. Below I list three problems I need to resolve and the
conclusions I've come to.
-- Problem 1: I want to execute as root a program with reduced
capability set.
It seems to be impossible, for the kernel's behavour of
forcing the effective and permitted sets to be full if
the binary to be executed has euid == ruid == 0.
(The `execcap' program included in libcap2-bin states
incorrectly that it can do that, but it turned out to be
only setting the cap_i set which renders it completely
useless).
-- Problem 2: I'd like to execute as root a program as non-root
with reduced capability set.
It's even harder than the previous item, because set*uid()
resets capability sets unless a linux specific prctl()
is issued prior to calling set*uid(). Other than this,
the same comments apply.
-- Problem 3: I'd like to grant or revoke capabilities to/from
a running process.
This seems to be the easiest, except that the kernel in the
default configuration doesn't permit this (cap_bound doesn't
contain CAP_SETPCAP which is requirement of a succesful
capset() where the target is not the current process.
The simplies workaround would be to set CAP_SETPCAT in
cap_bound (requires to recompile the kernel, for cap_bset
cannot be extended by anyone except pid == 1 (init)).
However, I don't see clearly the implications this
modification would cause, and I don't really want to risk
it.
In addition, libcap2 (the two-year old CVS version found
both in Debian stable and unstable) doesn't provide
capsetp(), thus implementing such a functionality would be
difficulult and non-portable wrt different kernel versions.
In any case, this workaround wouldn't be portable, since
the POSIX draft didn't described capsetp().
It seems either I missed something or not many care about POSIX
capabilities despite the fuss around them.
Any comments and suggestions are welcome. Please do not direct
me to other project like grsecurity. I'm familiar with it
and don't want to use it for reasons I won't explain here.
bit,
adam
--
1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989
finger://borso@vekoll.vein.hu | Some days, my soul's confined
http://www.keyserver.net | And out of mind
Sleep forever
Reply to:
- Follow-Ups:
- Re: capabilities
- From: Olaf Dietsche <olaf+list.debian-security@olafdietsche.de>