Radical idea? Remove all automatic privilege escalation base on executable file attributes!

From: Markku Savela
Date: Fri Aug 08 2008 - 06:32:06 EST

Next message: David Witbrodt: "Re: HPET regression in 2.6.26 versus 2.6.25"
Previous message: Peter Zijlstra: "Re: [PATCH][RESEND] scalable rw_mutex"
Next in thread: Johannes Weiner: "Re: Radical idea? Remove all automatic privilege escalation base on executable file attributes!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That is, remove

- setuid/setgid feature from Linux

- cancel the capability attributes in files (or only only allow
downgrading of capabilities)

(e.g. mount everything as nosuid or something, but eventually, the
code could be removed from the kernel)

The only way to escalate privileges would be to request starting of
the executable by some daemon (like upstart), which would grant or
deny the request based totally on some user space policies.

If granted,

- would fork
- child would setup the specified credentials to self
- execve (or equivalent)

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Witbrodt: "Re: HPET regression in 2.6.26 versus 2.6.25"
Previous message: Peter Zijlstra: "Re: [PATCH][RESEND] scalable rw_mutex"
Next in thread: Johannes Weiner: "Re: Radical idea? Remove all automatic privilege escalation base on executable file attributes!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]