Mailinglist Archive: opensuse (1165 mails)

< Previous Next >
[opensuse] Re: Should openSUSE review it's Security Policies?
  • From: Jim Henderson <hendersj@xxxxxxxxx>
  • Date: Fri, 2 Mar 2012 10:04:30 +0000 (UTC)
  • Message-id: <jiq5vd$719$2@dough.gmane.org>
On Fri, 02 Mar 2012 08:05:22 +0100, Roger Oberholtzer wrote:

From what I understand, kernel capabilities are disabled selectively -
you start a program as root and it has access to everything, and then
the program (perhaps also an external process can do this - that I
don't know) disables what the program shouldn't be allowed to do.

The kernel does this. If the UID is 0 (root) some set of permissions are
enabled. If not 0 (not running as root) a different default set are
enabled. The 'capabilities' mechanism allows extension of what non 0 UID
apps can do. The permissions, it seems, are stored in the file system
along with the executable (see 'man capabilities'). So, I would imagine
it requires either a specific file system, or that additional file
system options be enabled. The man page is rather vague.

Looking over the man page, it seems reasonably clear to me, but then
again I spent a couple months the end of last year looking at low-level
kernel stuff for a project I was working on, and capabilities were a
peripheral part of the project.

The way I read the man page, it's possible to set capabilities for a
particular program using a file in the filesystem (just a config file),
but the default is all capabilities are enabled for a program. The
initial implementation used thread-level control, but without the
mechanism to pre-define what a program could do, the thread had to start
first in order to be manipulated. I want to say this is part of the
CGROUPS implementation, but that could be a faulty recollection on my
part (as the project I was working on had to do mostly with CGROUPS).

So, for example, a program that doesn't need CAP_NET_ADMIN could
voluntarily remove this capability (which might be done for security
purposes, for example, to prevent some sort of exploit making the program
do something it shouldn't be able to do - again, maybe a poor example,
though, due to an incorrect recollection on my part), or an external
control process could revoke the privilege upon seeing the program
execute.

Subtractive use would seem to be relevant mostly to processes run by UID
0, though - perhaps it can also allow a process to run as a non-zero UID
and the capability can be added. That part isn't as clear to me in
looking at the man page - might have to play around with it (an easy test
- grant Wireshark CAP_NET_ADMIN and see if it can capture as non-root).

Jim

--
Jim Henderson
Please keep on-topic replies on the list so everyone benefits

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
Follow Ups