Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges

[Eric W. Biederman]

"Andrew G. Morgan" <morgan@xxxxxxxxxx> writes:

> Why not implement this as another securebit? So far as I can see the
> whole thing can be implemented in the capability LSM.
>
> What is less clear to me is whether per-process 'disabling of setuid
> bits on files' should force mandatory disabling of file capabilities.
> It seems as if disabling the transition of one luser to another luser
> through a setuid executable is something distinct from privilege
> escalation.
>
> Since there is already independent support for disabling file
> capabilities (the privilege escalation part), I see these two
> mechanisms as separable.

The goal is to disable privilege escalation.

The anatomy of the sendmail capabilities bug as I understand it was:

- unprivileged process took action to prevent gaining a capability.
- exec'd suid sendmail.
- sendmail took action as root because it could not become someone else.

I would like to trivially stop that entire class of exploit by making
execing a suid ( or equivalent ) executable impossible.

Once that hole is closed we can enable things like chroot without
privilege.

If there is a way to express this with capabilities today I would be
more than happy to.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/