Lower Process Capabilities

James Morris jmorris at namei.org
Mon Jul 27 09:25:46 UTC 2009


On Sun, 26 Jul 2009, Steve Grubb wrote:

> The basic idea goes something like this: We would like to do something to 
> prevent priv escalation for processes running as root. For this example, lets 
> take cupsd to be a good case in point. If the attacker can find a vuln with 
> cupsd, then they can have root privs and all that goes with it. (SE Linux may 
> prevent total compromise, but some people turn it off.)

We should put effort into improving SELinux rather than papering things 
over with new or previously discarded security schemes.

Capabilities are inherently problematic in that you can't meaningfully 
reason about overall system behavior with them.

e.g. what does CAP_SYS_ADMIN actually mean?

Here's where the symbol is found in the kernel source:
http://www.cs.fsu.edu/~baker/devices/lxr/http/ident?i=CAP_SYS_ADMIN

I challenge anyone to explain the boundary of privilege for any process 
which has this capability, and how the propagation of that privilege is 
bounded within the system as a whole.

We can do that with SELinux (in fact it's been somehwat designed for this 
purpose), and that's how we should approach the problem.


- James
-- 
James Morris
<jmorris at namei.org>




More information about the fedora-devel-list mailing list