Re: Are capabilities worthwhile?



On 26.09.2006, Ertugrul Soeylemez <never@xxxxxxxxxxxxxx> wrote:
Bob Smith <bsmith@xxxxxxxxxxxxx> (06-09-26 09:15:49):

I was under the impression that capabilities were a good idea and
should be user when possible. (In my case, on an appliance.)

An article at Linux Weekly News makes me doubt my assumption about
capabilities:
http://lwn.net/Articles/198557/

What do you think?
Can they really help security?

That's a matter of view. Sure, assuming the capabilities implementation
is working as expected, they could enhance security a bit. But anyway,
would you want to run a process as root?

But on the other hand, wouldn't you want to run ping as casual user with
CAP_NET_RAW capability instead of full root privileges (SUID)?

It is not unreasonable that
almost no distribution uses them.

You should rather stick with a more flexible solution, which is also
more widely tested, like SELinux or grsecurity. I prefer the latter,
because it's simpler, but again: matter of taste.

Ah, I see. You're taking capabilities as something _restricting root_
instead of something enabling casual user to do few things requiring
root privileges. [*]

Or are they critically flawed?

Not critically, but their concept is a bit flawed. Firstly, they are
too difficult to manage. Since they work on per-file basis and are
saved on the filesystem, you even don't have an overview of which files
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
have which capabilities.
^^^^^^^^^^^^^^^^^^^^^^^
Why do you think that?
"Since _Unix permissions_ work on per-file basis and are saved on the
filesystem, you don't even have an overview of which files have which
_permissions_"?

Secondly, a security system should never assume that everybody knows
what 'execve' or 'fork' is. We shouldn't force administrators to be
programmers at the same time (though most are).

....and most should be.

This also adds a more or less serious security issue. If someone, who
doesn't understand the capabilities, uses them, then he may find himself
in a false sense of security.

Bingo! (see: [*])

--
<Kosma> Niektórzy lubią dozziego...
<Kosma> Oczywiście szanujemy ich.
Stanislaw Klekot
.



Relevant Pages