Re: User vs. Kernel (was: To be smug, or not to be smug, that is , the question)

Andrej Presern (andrejp@luz.fe.uni-lj.si)
Sun, 24 Jan 1999 14:39:03 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Pavel Machek: "Re: [Patch available] SCSI-Idle for 2.2.0"
Previous message: Alan Cox: "VM performance"

MOLNAR Ingo wrote:
> > >> * Lack of a decent privilege/capability model
> > >
> > > (i guess you missed include/linux/capability.h, a feature of 2.2.
> > > Not completely finished, but the main mechanizm is in there.)
> >
> > I believe he means "true" capability support. In any case,
> > Linux can't revoke normal user capabilities.
>
> what do you mean by 'true'. what is 'user capabilities'.

By 'true capabilities' he means what information security literature
refers to when discussing 'capability systems'. This is in contrast to
'capability lists' which is a protection mechanism often implemented in
'access control list systems', and which happens to be what Linux
contains support for.

> If you mean
> military grade security, where one can restrict a user to be able only to
> execute the 'nop' assembly instruction, then you are right, Linux's doesnt
> want to do that. Linux has a capability model that splits up _system_
> priviledges (thus risks) so that eg. a security hole in 'ping' doesnt mean
> a full system compromise.

Linux does not have a capability model!

Again (yes, I've pointed this out on several occasions so far, on this
list), by using incorrect terms you are introducing a lot of confusion
(as is evident above) and a false sense of security. Capability lists
ARE NOT true capabilities. They are not even a capability model. They
are an access control list model.

If you look at individual privileges in Linux, you will find that there
is a finite list of exactly specified items, and that the object always
receives the _whole_ list in which individual items are either enabled
or disabled. This is an access control list that tells the object what
it can do and what it can't do (notice the 'what it can't do'). A
capability system on the other hand does not specify explicitly what an
object can't do, but only what it can. For everything that it can do, it
has a capability token that it uses to authorize the action. Everything
that it doesn't explicitly have a capability token for, it can't do (in
other words, in a capability system there is no such thing as a
'negative capability', such as a disabled capability in a capability
list).

The difference between security provided by what is in the Linux kernel
and a decent capability system is similar to that of a paper wall that
can be penetrated by a pencil and a 10m thick concrete wall that can
take a nuke.

Andrej

-- Andrej Presern, andrejp@luz.fe.uni-lj.si

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Pavel Machek: "Re: [Patch available] SCSI-Idle for 2.2.0"
Previous message: Alan Cox: "VM performance"