Fedora 11: moving to posix file capabilities?

[Steve Grubb]

On Wednesday 29 October 2008 12:53:16 Colin Walters wrote:
> > Are we ready to start considering moving away from SUID bits to
> > capabilities, in Fedora 11 maybe?
>
> Note that from the desktop direction we've been moving the OS away
> from exec-based domain transitions to message passing (e.g. PolicyKit)
> for a variety of reasons.

>From a security point of view...I don't like this at all. 

1) We've spent a lot of time on getting audit right. We can tell what account 
was logged in under and find every single application that was started as a 
result of that login. Message passing breaks this. 

2) There is no accountability for what actions are performed for each user. 
The audit system cannot tell who something was done for.

3) There is yet another MAC policy with no auditing of access decisions.

4) Setuid apps get special treatment from ld.so and other things so that 
certain actions cannot be performed like ptrace or LD_PRELOAD.

5) Setuid apps can be found quite easily and they are well known and well 
reviewed for bugs. If you want admin only use, its easy to take off the 
setuid bit.

-Steve