Re: Are capabilities worthwhile?
- From: Bob Smith <bsmith@xxxxxxxxxxxxx>
- Date: Wed, 27 Sep 2006 06:54:15 GMT
Ertugrul Soeylemez wrote:
Bob Smith <bsmith@xxxxxxxxxxxxx> (06-09-26 09:15:49):OK, but in what way does using capabilities requireI was under the impression that capabilities were a good idea and
should be user when possible. (In my case, on an appliance.)
Can they really help security?
That's a matter of view. Sure, assuming the capabilities implementation
is working as expected, they could enhance security a bit. But anyway,
would you want to run a process as root? It is not unreasonable that
almost no distribution uses them.
a program be run as root? I do not see a connection.
You should rather stick with a more flexible solution, which is also_Of_course_ I use grsecurity. Making the stack
more widely tested, like SELinux or grsecurity. I prefer the latter,
because it's simpler, but again: matter of taste.
non-executable is really important as well as
all the other security enhancements that it has.
But grsecurity does not do what capabilities can
(well, should) do. (BTW: I also follow all of the
HOWTOs on network hardening.)
I thought that a process could voluntarily drop itsOr are they critically flawed?Not critically, but their concept is a bit flawed. Firstly, they are
too difficult to manage. Since they work on per-file basis and are
saved on the filesystem, you even don't have an overview of which files
have which capabilities.
capabilities. For example, after it opens port 80,
a web server could drop it capability to open a
network socket. This limits the damage it can do
if it is ever breached.
Secondly, a security system should never assume that everybody knowsES, thanks very much for your reply :)
what 'execve' or 'fork' is. We shouldn't force administrators to be
programmers at the same time (though most are).
This also adds a more or less serious security issue. If someone, who
doesn't understand the capabilities, uses them, then he may find himself
in a false sense of security.