Re: Are capabilities worthwhile?



Ertugrul Soeylemez wrote:
Bob Smith <bsmith@xxxxxxxxxxxxx> (06-09-26 09:15:49):
I was under the impression that capabilities were a good idea and
should be user when possible. (In my case, on an appliance.)
Can they really help security?


That's a matter of view. Sure, assuming the capabilities implementation
is working as expected, they could enhance security a bit. But anyway,
would you want to run a process as root? It is not unreasonable that
almost no distribution uses them.
OK, but in what way does using capabilities require
a program be run as root? I do not see a connection.



You should rather stick with a more flexible solution, which is also
more widely tested, like SELinux or grsecurity. I prefer the latter,
because it's simpler, but again: matter of taste.
_Of_course_ I use grsecurity. Making the stack
non-executable is really important as well as
all the other security enhancements that it has.
But grsecurity does not do what capabilities can
(well, should) do. (BTW: I also follow all of the
HOWTOs on network hardening.)


Or are they critically flawed?
Not critically, but their concept is a bit flawed. Firstly, they are
too difficult to manage. Since they work on per-file basis and are
saved on the filesystem, you even don't have an overview of which files
have which capabilities.
I thought that a process could voluntarily drop its
capabilities. For example, after it opens port 80,
a web server could drop it capability to open a
network socket. This limits the damage it can do
if it is ever breached.


Secondly, a security system should never assume that everybody knows
what 'execve' or 'fork' is. We shouldn't force administrators to be
programmers at the same time (though most are).

This also adds a more or less serious security issue. If someone, who
doesn't understand the capabilities, uses them, then he may find himself
in a false sense of security.


Regards,
E.S.
ES, thanks very much for your reply :)

Bob
.