Re: Filesystem Capabilities in 2.6?

Alan Cox (alan@lxorguk.ukuu.org.uk)
03 Nov 2002 13:03:56 +0000

On Sun, 2002-11-03 at 04:28, Alexander Viro wrote:
> BTW, here's a fresh demonstration (found half an hour ago) that capabilities
> do *not* permit more lax attitude when writing stuff with elevated priveleges:
> * /usr/lib/games/nethack/recover is run at the boot time (as root)
> to recover crashed games.
> * Debian nethack 3.4.0-3.1 has it installed root.games and it
> is group-writable - cretinism in debian/rules, upstream is not guilty
> in that (BTW, so is /usr/lib/games/nethack/recover-helper).
> * ergo, any exploitable hole in sgid-games binary (rogue, for
> instance) is trivially elevated to root exploit.

This is why you also want something stronger than just capability
models. In a strong security system the following happens.

User hacks nethack
Users compromises recover (and in doing so reduces its integrity)

Reboot
Root tries to run recover
Recover has insufficient integrity
Error messages appear

You would also have a "game playing" role which would mean a compromised
game could only write to the game score and save files, and could only
read the nominated game configuration files.

The problem with this is its nontrivial to set up all the rules. Being
able to use namespaces to revoke rights is a big help. If we were to add
a capability for 'getting out of chroot' then we can also combine it
with chroot to drop users into an unpriviledged universe from which they
cannot escape because we took away the chroot stuff and we took away
rawio and so on

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/