RE: Ke: Process Capabilities on 2.2.16, Sendmail problem revisited

From: Jesse Pollard (
Date: Tue Jun 13 2000 - 08:37:58 EST
> >> which spawned an entire OTHER
> >> argument on how that should be done. (ext2+caps,elfcap,et al)
> >
> >Yep. Capabilities in ext2 is just wrong. Using ELF is merely bad.
> >This is a UNIX clone you know; you can't make it into VMS.
> Why not? Elfcap is simple hack that does not break anything. Capabilities *are* usefull for simple tasks already. I do not know about VMS, but current system has practical uses.

Elfcap is insecure, and permits the generation of trojan horses.

> >Ever wonder why? The system is not compatible with UNIX.
> >It isn't even safe. This is making MAC look easy, since at
> >least MAC operates "outside" the normal security system.
> elfcap-ed ping would be slightly more secure than current ping. What is unsafe on capabilities?

That depends on the implementation - an incorrect implementation is unsafe.
Capabilities are secure.

> >I know one way to fix all this. It is not nearly as fancy, but at
> >least it doesn't cause so many incompatibilities. Do the obvious.
> >Have UID-to-capability and GID-to-capability tables in the kernel.
> >Load them early in the boot or via a trusted daemon. This doesn't
> That is just plain ugly. Elfcap is very nice compared to this.

Until you are passed a trojan horse.

> >have any "way cool" inheritance algorithms to confuse admins and
> >programs alike. It just works. Across an exec, capabilities must
> >be fully enabled for compatibility. Capability-aware programs
> >could disable unneeded privilege as the first step in main.
> Is not dropping unneeded privileges exactly the thing the other person said he is doing?

No. Dropping unneeded privilegets by mandatory use of the capability masking
is what he wants, but is not necessarily done properly which leaves incorrect
privileges available.

Using the masking is supposed to help by not requiring the "privileged"
process to be fully aware of the privileged environment. This helps portability
and compatability since the same program could be used in more than one
environment. ping used in a root-privileged system, and used in a
capability-only system.

Capability lists must be maintained separately from the executable image
(ie in the inode, or somewhere else) to prevent the importing of a trojan
containing "elf" implemented capabilities that are not authorized by the
local facility. Just copying a file does not (should not) include copying the
capability list along with it.

Jesse I Pollard, II

Any opinions expressed are solely my own.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
Please read the FAQ at

This archive was generated by hypermail 2b29 : Fri Jun 23 2000 - 21:00:11 EST