-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/21/2010 11:47 AM, Colin Walters wrote: > Pardon the thread necromancy, > > So recently I had cause to look at > http://fedoraproject.org/wiki/Features/RemoveSETUID > again (I was investigating the X server permissions for an unrelated reason). > > Now, that page links to > http://people.redhat.com/sgrubb/libcap-ng/index.html > > which attempts to explain the value of capabilities, etc. I was > following along on all of this, and I understand that capabilities > have some (non-negligible) value if you don't have e.g. cap_sys_admin. > But then I got to the point where it says: > > "But they still have uid 0, which typical system installation allows > root to do things. For example, /bin/sh is 0755 and /bin is also 0755 > perms. A disarmed root process can still trojan a system. But what if > we got rid of all the read/write permissions for root?" > > So...right, "we can do these small changes, and then if we do this BIG > CHANGE, it all works!". But this feature doesn't include BIG CHANGE, > and there are no plans to, right? Or is chmod u-rwx g-rwx on the root > filesystem really in the cards? > > Now, > https://fedoraproject.org/wiki/Features/LowerProcessCapabilities > appears to claim 100% completion on this for Fedora 12, but none (?) > of it happened? File capabilities just limit the number of capabilities an application starts with. setuid app means an app starts with all 32, a couple of new ones, capabilities. Then it is up to the app developer to drop the capabilities when the app is done using them. Going to file capabilities just limits the capabilities an application starts with to the specified capabilities. The application developer should still drop the capabilities once they no longer need them. It helps in the case of a bug in an application, that does not drop capabilities. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0RDDUACgkQrlYvE4MpobNKdwCffTSEd/nmN/pwtG1d6JUdUmA6 FgwAnRK1eNQ53yLjIDwnCyFEJN4HDiF2 =1ypa -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
