Re: Filesystem Capabilities in 2.6?
Theodore Ts'o (tytso@mit.edu)
Mon, 4 Nov 2002 09:39:27 -0500
On Sun, Nov 03, 2002 at 01:37:19AM -0500, Alexander Viro wrote:
> > In other words, it would actually make perfect sense to have
> >
> > -r-sr-sr-x 1 nobody mail 451280 Apr 8 2002 /usr/bin/sendmail
> >
> > mount --bind --capability=chown,bindlow /usr/bin/sendmail /usr/bin/sendmail
>
> *blam*
>
> Congratulations with potential crapload of security holes - now anyone
> who'd compromised a process running as nobody can chmod the damn thing
> and modify it.
>
> And that is the reason why suid-nonroot is bad. It creates a class of
> binaries that can easily give you a root compromise if one of them has
> an exploit - even if that one is never run by root.
This is solved by some implementations of POSIX capabilities by
zapping any capabilities if the executible is modified --- just as
some Unix systems zap the setuid bit if the executable is modified.
It addresses specifically the problem that you've raised.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/