Mailinglist Archive: opensuse-features (86 mails)

< Previous Next >
[openFATE 307254] Use POSIX capabilities instead of suid
Feature changed by: Cristian Morales Vega (RedDwarf)
Feature #307254, revision 33
Title: Use POSIX capabilities instead of suid

openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger)
reject date: 2010-11-04 13:34:16
reject reason: not done
Priority
Requester: Neutral

openSUSE-11.4: Evaluation by engineering manager
Priority
Requester: Neutral

Requested by: Pascal Bleser (pbleser)
Developer: Cristian Rodríguez (elvigia)
Developer: Cristian Rodríguez (elvigia)
Developer: Cristian Rodríguez (elvigia)
Partner organization: openSUSE.org

Description:
Use POSIX file capabilities instead of suid processes and running e.g.
Apache as root:
* http://www.nuxified.org/blog/dear-distributors
(http://www.nuxified.org/blog/dear-distributors)
* http://www.friedhoff.org/posixfilecaps.html
(http://www.friedhoff.org/posixfilecaps.html)
* https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html
(https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html)
* https://bugzilla.redhat.com/show_bug.cgi?id=646440
(https://bugzilla.redhat.com/show_bug.cgi?id=646440)
* http://fedoraproject.org/wiki/Features/RemoveSETUID
(http://fedoraproject.org/wiki/Features/RemoveSETUID)
* http://people.redhat.com/sgrubb/libcap-ng/index.html
(http://people.redhat.com/sgrubb/libcap-ng/index.html)
* https://fedoraproject.org/wiki/Features/LowerProcessCapabilities
(https://fedoraproject.org/wiki/Features/LowerProcessCapabilities)
Status: fscaps support is available at packaging level via
/etc/permissions. See iputils as example how to do it.

Discussion:
#1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02)
Some tools like tar(1) do not even support recording Xattrs/ACLs (yet
people still use that for backups), and Filesystem Capabilities (not
POSIX capabilities) would not be recorded either. Such should really be
addresses first, more or less.

#2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1)
No question, it's a mid term objective. And not exactly trivial to
solve either.
I posted this feature rather as a reminder that that enhancement
exists, and that Fedora is trying to get it implemented. Just to keep
an eye on it ;)

#3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55)
I have enabled support for file capabilities in rpm using the %caps()
macro in factory
However having it enabled in rpm is not that useful as the actual
feature has to be activated manually by the user booting with
file_caps=1 , does anyone know the reason why it isnt enabled by
default ? 


#4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23)
Before we can use fscaps in packages...
1) we need a mechanism that handles fscaps similar to /etc/permissions
2) we need an rpmlint check
3) binaries need to be audited whether they are suitable for fscaps
use, just like setuid binaries


#5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50)
Are we absolutely sure that 11.4 does support file capabilities by
default?
I wonder whether to implement a runtime switchable way between
traditional suid binaries and fscaps.
Also what about run time upgrades to the new distro? In that case the
old kernel without fscaps is running but we would install binaries that
rely on fscaps. Ie the system wouldn't work properly until reboot.

#8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5)
It is disabled by default.. have to boot with  file_caps=1  .. does
anyone know why is that ? 
 

#6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21)
Seems to be the same idea that Fedora is doing now:
http://lwn.net/Articles/412237/

#7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6)
yes. my current plan is to not change attributes in the packages
though. Instead applying fscaps happens automatically via
/etc/permissions mechanism if the system supports it. That avoids the
problems Fedora sees atm with file systems that do not support fscaps.
See home:lnussel:fscaps for current state

#9: Sławomir Lach (lachu) (2010-11-07 10:17:22)
I doubt Posix Capabilities is more secure. Imagine, that program still
is runned on user privileges + some capabilties. User can debug
program, changing memory of it, etc.

#12: Robert Davies (robopensuse) (2011-02-04 14:44:54) (reply to #9)
The escalation of privilege is still controlled in way a suid root
program would be, they have however a finer grained "just enough" level
of privilege rather than the whole shebang. Suppose you find a way to
overwrite stack in ping(1), if that does not permit you a root shell,
but simply a privileged socket it is much harder to exploit the flaw in
the program.
You are right, capabilities should not be given to user owned
programs.

#10: Sławomir Lach (lachu) (2010-11-07 10:53:15)
Maybe PolicyKit team will add support of PCaps to PKexec? In this case
any process can run process with some capabilities, but also in
different process group.

#11: Ludwig Nussel (lnussel) (2010-11-24 13:29:38)
fscaps support is now implemented in the permissions package. See ping
in package iputils as example.

#13: Konstantinos Koudaras (warlordfff) (2011-02-22 22:03:25)
I proposed to look at this idea into GSOC ideas wiki page. We are
looking for mentors so if anyone wants to help, please add your name in
the wiki page (http://en.opensuse.org/openSUSE:GSOC_2011_Ideas )

#14: Ludwig Nussel (lnussel) (2011-11-07 10:49:20)
I had to disable fscaps support again as last minute change for 12.1
since tar doesn't support fscaps but is used by kiwi to create images.
Resulting appliances therefore don't work.

+ #15: Cristian Morales Vega (reddwarf) (2012-04-14 14:35:25) (reply to
+ #14)
+ What's the current state?




--
openSUSE Feature:
https://features.opensuse.org/307254

< Previous Next >
This Thread
  • No further messages