Re: request: capabilities that allow users to drop privileges further

From: Richard B. Johnson
Date: Mon Dec 15 2003 - 17:08:50 EST

Next message: Larry McVoy: "Re: RFC - tarball/patch server in BitKeeper"
Previous message: Andrew Morton: "Re: [PATCH] 2.6.0-test11 DAC960 request queue per disk"
In reply to: Felix von Leitner: "request: capabilities that allow users to drop privileges further"
Next in thread: Christian Borntraeger: "Re: request: capabilities that allow users to drop privileges further"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 15 Dec 2003, Felix von Leitner wrote:

> I would like to be able to drop capabilities that every normal user has,
> so that network servers can limit the impact of possible future security
> problems further. For example, I want my non-cgi web server to be able
> to drop the capabilities to
>
> * fork
> * execve
> * ptrace
> * load kernel modules
> * mknod
> * write to the file system
>
> and I would like to modify my smtpd to not be able to
>
> * fork
> * execve
> * ptrace
> * load kernel modules
> * mknod
>
> I can kludge around some of these, for example I can disable fork with
> resource limits, and I can limit writing to the file system with chroot
> and proper permissions in the file systems, but I'm not aware of a way
> to disable ptrace for example, or pthread_create.
>
> I know that there are patches to provide an extended "jail" chroot
> support, but being able to drop capabilities like this would be a more
> general solution.
>
> Felix

So you expect kernel support? Normally, real people write or
modify applications to provide for specific exceptions to
the standards. They don't expect an operating system to
modify itself to unique situations. That's not what
operating systems have generally done in the past.

The 'C' runtime library interfaces to the kernel. You
can use the ld.so.preload capabilities to substitute
private functions for fork(), etc. This has the additional
benefit of allowing crappy, poorly-written, executables
that may have buffer overflows to be executed with
increased confidence. Of course, some root-shell programs
bypass the 'C' runtime libraries.

Cheers,
Dick Johnson
Penguin : Linux version 2.4.22 on an i686 machine (797.90 BogoMips).
Note 96.31% of all statistics are fiction.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Larry McVoy: "Re: RFC - tarball/patch server in BitKeeper"
Previous message: Andrew Morton: "Re: [PATCH] 2.6.0-test11 DAC960 request queue per disk"
In reply to: Felix von Leitner: "request: capabilities that allow users to drop privileges further"
Next in thread: Christian Borntraeger: "Re: request: capabilities that allow users to drop privileges further"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]