[Nottingham] Linux (POSIX) capabilities attributes

Martin martin at ml1.co.uk
Thu May 18 09:32:17 UTC 2017


On 18/05/17 09:08, VM wrote:
> On 17 May 2017 17:40:12 BST, Martin via Nottingham <nottingham at mailman.lug.org.uk> wrote:
>> Folks,
>>
>> Quick security question:
>>
>>
>> Does anyone (bother) to use the Linux (POSIX) capabilities attributes
>> for securing/restricting (system/admin/user) utilities ?
>>
>> Or is it SELinux all the way?
>>
>> Or is it just hope and prey? (Deliberate pun there :-P )


> Do you run untrusted software as uid 0 or make suid executables writable by world? :))) restricting capabilities makes sense for privileged containers that are exposed to untrusted networks and devices. I prefer unprivileged containers so don't have to use capabilities.


OK... So a quick check on one of my systems for suid executables gives:

# find /bin /usr /sbin -type f -perm /a=s -print
/bin/umount
/bin/passwd
/bin/mount
/bin/ping
/bin/su
/usr/libexec/lockspool
/usr/libexec/dbus-daemon-launch-helper
/usr/bin/gpasswd
/usr/bin/chage
/usr/bin/man
/usr/bin/netselect
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/expiry
/usr/bin/cgexec
/usr/bin/dotlockfile
/usr/bin/atop
/usr/bin/chsh
/usr/bin/mutt_dotlock
/usr/bin/crontab
/usr/sbin/postqueue
/usr/sbin/postdrop
/usr/lib64/misc/rssh_chroot_helper
/usr/lib64/misc/ssh-keysign
/sbin/mount.nfs
/sbin/unix_chkpwd

So the "restricting capabilities" looks to be a good idea :-)


Interesting note about the use in containers also, thanks.

Cheers,
Martin


-- 
- ╔═══════════════════╦══════════════════════════════════════════╗
- ║   Martin Lomas    ║ OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7 ║
- ║ martin@ ml1 co uk ║ Import from   hkp://subkeys.pgp.net   or ║
- ║ ----------------- ║ http:// ml1 .co .uk/martin_ml1_co_uk.gpg ║
- ╚═══════════════════╩══════════════════════════════════════════╝



More information about the Nottingham mailing list