Re: request: capabilities that allow users to drop privileges further

From: Richard B. Johnson (root_at_chaos.analogic.com)
Date: 12/15/03

  • Next message: Andrew Morton: "Re: [PATCH] 2.6.0-test11 DAC960 request queue per disk" 
    Date:	Mon, 15 Dec 2003 17:10:00 -0500 (EST)
To: Felix von Leitner <felix-kernel@fefe.de>

    On Mon, 15 Dec 2003, Felix von Leitner wrote:

    > I would like to be able to drop capabilities that every normal user has,
    > so that network servers can limit the impact of possible future security
    > problems further. For example, I want my non-cgi web server to be able
    > to drop the capabilities to
    >
    > * fork
    > * execve
    > * ptrace
    > * load kernel modules
    > * mknod
    > * write to the file system
    >
    > and I would like to modify my smtpd to not be able to
    >
    > * fork
    > * execve
    > * ptrace
    > * load kernel modules
    > * mknod
    >
    > I can kludge around some of these, for example I can disable fork with
    > resource limits, and I can limit writing to the file system with chroot
    > and proper permissions in the file systems, but I'm not aware of a way
    > to disable ptrace for example, or pthread_create.
    >
    > I know that there are patches to provide an extended "jail" chroot
    > support, but being able to drop capabilities like this would be a more
    > general solution.
    >
    > Felix

    So you expect kernel support? Normally, real people write or
    modify applications to provide for specific exceptions to
    the standards. They don't expect an operating system to
    modify itself to unique situations. That's not what
    operating systems have generally done in the past.

    The 'C' runtime library interfaces to the kernel. You
    can use the ld.so.preload capabilities to substitute
    private functions for fork(), etc. This has the additional
    benefit of allowing crappy, poorly-written, executables
    that may have buffer overflows to be executed with
    increased confidence. Of course, some root-shell programs
    bypass the 'C' runtime libraries.

    Cheers,
    *** Johnson
    Penguin : Linux version 2.4.22 on an i686 machine (797.90 BogoMips).
                Note 96.31% of all statistics are fiction.

    -
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  • Next message: Andrew Morton: "Re: [PATCH] 2.6.0-test11 DAC960 request queue per disk"