Re: X only needs CAP_SYS_RAWIO to start -- can be disabled after up

From: James Sutherland (jas88@cam.ac.uk)
Date: Mon Jul 24 2000 - 04:33:20 EST

Next message: David Weinehall: "Re: pre-patch-2.0.39-6"
Previous message: James Sutherland: "Re: disk-destroyer.c"
In reply to: Mark Gray: "X only needs CAP_SYS_RAWIO to start -- can be disabled after up"
Next in thread: Mark Gray: "Re: X only needs CAP_SYS_RAWIO to start -- can be disabled after up"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 24 Jul 2000, Mark Gray wrote:

>
> I just wanted to point out something a lot of people may be missing,
> and that is that once X is up and running, it is quite alright to
> disable CAP_SYS_RAWIO
>
> k5 /usr/src/lcap-0.0.3 # ./lcap -c -vv CAP_SYS_RAWIO
> Current capabilities: 0xFFFFFFFF
> 17) *CAP_SYS_RAWIO
> * = Capability currently allowed
> k5 /usr/src/lcap-0.0.3 # ./lcap CAP_SYS_RAWIO
> k5 /usr/src/lcap-0.0.3 # ./lcap
> Current capabilities: 0xFFFDFFFF
> 0) *CAP_CHOWN 1) *CAP_DAC_OVERRIDE
> 2) *CAP_DAC_READ_SEARCH 3) *CAP_FOWNER
> 4) *CAP_FSETID 5) *CAP_KILL
> 6) *CAP_SETGID 7) *CAP_SETUID
> 8) *CAP_SETPCAP 9) *CAP_LINUX_IMMUTABLE
> 10) *CAP_NET_BIND_SERVICE 11) *CAP_NET_BROADCAST
> 12) *CAP_NET_ADMIN 13) *CAP_NET_RAW
> 14) *CAP_IPC_LOCK 15) *CAP_IPC_OWNER
> 16) *CAP_SYS_MODULE 17) CAP_SYS_RAWIO
> 18) *CAP_SYS_CHROOT 19) *CAP_SYS_PTRACE
> 20) *CAP_SYS_PACCT 21) *CAP_SYS_ADMIN
> 22) *CAP_SYS_BOOT 23) *CAP_SYS_NICE
> 24) *CAP_SYS_RESOURCE 25) *CAP_SYS_TIME
> 26) *CAP_SYS_TTY_CONFIG
> * = Capabilities currently allowed
> k5 /usr/src/lcap-0.0.3 #
> [snip]
>
> And X continues to run perfectly.
> And then when I try to restart it:
>
> Fatal server error:
> xf86EnableIOPorts: Failed to set IOPL for I/O

In other words, when it starts, it completely disables all OS protection
for itself. Of course it no longer needs any capabilities - capabilities
can no longer be enforced for it!

> [snip]
>
> And now, of course, I can no longer start X until a reboot.
>
> Capabilities are a splendid feature which needs to be more widely used
> on Linux servers in my opinion. It has the potential to be a very
> popular feature if properly applied.

And X doesn't. It uses one capability to disable subsequent capability
enforcement completely.

> (Just a little fact that people following the security discussion from
> afar may have missed because it is not being mentioned.)

iopl() is a horrible abomination - as is X, for that matter :-(

James.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Weinehall: "Re: pre-patch-2.0.39-6"
Previous message: James Sutherland: "Re: disk-destroyer.c"
In reply to: Mark Gray: "X only needs CAP_SYS_RAWIO to start -- can be disabled after up"
Next in thread: Mark Gray: "Re: X only needs CAP_SYS_RAWIO to start -- can be disabled after up"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Jul 31 2000 - 21:00:15 EST