Re: caps in elf headers: use the sticky bit!

Jeremy Fitzhardinge (jeremy@goop.org)
Tue, 13 Apr 1999 11:37:41 -0700 (PDT)

On 13-Apr-99 Ulrich Schmid wrote:
> Hi,
>
> maybe this could be a compromise between the suid0/sticky solutions:
>
> Advantage of suid 0:
>
> If the fs is used by an old kernel or another OS, only root can
> create/modify executables with caps, this prevents a security hole.
>
> Advantage of sticky bit:
>
> The suid settings used by an old kernel can be configured independent
> from the caps settings used by a new kernel.
>
> To take the best of both I would like to suggest:
>
> 1. Use the sticky bit
> 2. Allow a mount option so that the sticky/caps bit is only honored if
> the executable is owned by root and writable only by root.

You only need special labels on an executable if its trying to raise the
effective capabilities. You don't need anything if the execuable is just
trying to lower them.

My favourite approach:
- use a capability segment in the ELF file to drop capabilities
- use filesystem extentions to mark an executable with raised caps

This is the fail-safe approach. The common task of dropping unwanted
capabilities can be easily implemented in a tool and filesystem independent way.

The more troublesome capability-raising issues are best left to the filesystem.
It doesn't matter too much if other filesystems and tools drop the extra info,
since that simply makes the process unprivileged - and if run as root it can
still drop the capabilities it doesn't want.

J

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/