Re: Are capabilities worthwhile?



Ertugrul Soeylemez wrote:
Bob Smith <bsmith@xxxxxxxxxxxxx> (06-09-26 09:15:49):
I was under the impression that capabilities were a good idea and
should be user when possible. (In my case, on an appliance.)
Can they really help security?


That's a matter of view. Sure, assuming the capabilities implementation
is working as expected, they could enhance security a bit. But anyway,
would you want to run a process as root? It is not unreasonable that
almost no distribution uses them.
OK, but in what way does using capabilities require
a program be run as root? I do not see a connection.



You should rather stick with a more flexible solution, which is also
more widely tested, like SELinux or grsecurity. I prefer the latter,
because it's simpler, but again: matter of taste.
_Of_course_ I use grsecurity. Making the stack
non-executable is really important as well as
all the other security enhancements that it has.
But grsecurity does not do what capabilities can
(well, should) do. (BTW: I also follow all of the
HOWTOs on network hardening.)


Or are they critically flawed?
Not critically, but their concept is a bit flawed. Firstly, they are
too difficult to manage. Since they work on per-file basis and are
saved on the filesystem, you even don't have an overview of which files
have which capabilities.
I thought that a process could voluntarily drop its
capabilities. For example, after it opens port 80,
a web server could drop it capability to open a
network socket. This limits the damage it can do
if it is ever breached.


Secondly, a security system should never assume that everybody knows
what 'execve' or 'fork' is. We shouldn't force administrators to be
programmers at the same time (though most are).

This also adds a more or less serious security issue. If someone, who
doesn't understand the capabilities, uses them, then he may find himself
in a false sense of security.


Regards,
E.S.
ES, thanks very much for your reply :)

Bob
.



Relevant Pages

  • Re: [PATCH try #2] security: Convert LSM into a static interface
    ... The mere fact that SELinux cannot be built as a module is a rather weak argument for disabling LSM modules as a whole, ... What do you expect to happen to all the megs of security data when you "rmmod selinux"? ... Noone is saying we should be able to rmmod selinux. ... even the standard "capabilities" module wants to attach a list of capabilities to every process and defines inheritance rules for them. ...
    (Linux-Kernel)
  • Re: [PATCH] cgroups: implement device whitelist lsm (v3)
    ... When I need a feature which tracks tasks to do some security ... Depends on whether you think LSM hooks are like netfilter hooks (i.e. ... I don't intend that Smack be thought of as a complete security model. ... that's like saying capabilities don't belong in LSM because all LSMS ...
    (Linux-Kernel)
  • Re: disable-cap-mlock
    ... > What is the Oracle requirement in detail? ... the mlock rlimit, so when you log in as the database user, you get the ... capabilities and/or rlimits. ... > possible to disable SELinux in config while using Bill's security module? ...
    (Linux-Kernel)
  • Re: Security Weaknesses of OS X
    ... already implemented "capabilities" into their OS. ... Not Windows, not Solaris, not Linux, not Mac ... of the source code for OS X. So, ... not knowing the details of these security ...
    (comp.sys.mac.system)
  • Re: [PATCH] cgroups: implement device whitelist lsm (v3)
    ... When I need a feature which tracks tasks to do some security ... Depends on whether you think LSM hooks are like netfilter hooks (i.e. ... I don't intend that Smack be thought of as a complete security model. ... that's like saying capabilities don't belong in LSM because all LSMS ...
    (Linux-Kernel)