Re: Lower Process Capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 26 Jul 2009, Steve Grubb wrote:

> The basic idea goes something like this: We would like to do something to 
> prevent priv escalation for processes running as root. For this example, lets 
> take cupsd to be a good case in point. If the attacker can find a vuln with 
> cupsd, then they can have root privs and all that goes with it. (SE Linux may 
> prevent total compromise, but some people turn it off.)

We should put effort into improving SELinux rather than papering things 
over with new or previously discarded security schemes.

Capabilities are inherently problematic in that you can't meaningfully 
reason about overall system behavior with them.

e.g. what does CAP_SYS_ADMIN actually mean?

Here's where the symbol is found in the kernel source:
http://www.cs.fsu.edu/~baker/devices/lxr/http/ident?i=CAP_SYS_ADMIN

I challenge anyone to explain the boundary of privilege for any process 
which has this capability, and how the propagation of that privilege is 
bounded within the system as a whole.

We can do that with SELinux (in fact it's been somehwat designed for this 
purpose), and that's how we should approach the problem.


- James
-- 
James Morris
<jmorris@xxxxxxxxx>

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux