[Nottingham] Linux (POSIX) capabilities attributes

VM vadim+NLUG at mankevich.co.uk
Thu May 18 11:51:09 UTC 2017


On 18 May 2017 10:31:57 BST, Martin via Nottingham <nottingham at mailman.lug.org.uk> wrote:
>On 18/05/17 09:08, VM wrote:
>> On 17 May 2017 17:40:12 BST, Martin via Nottingham
><nottingham at mailman.lug.org.uk> wrote:
>>> Folks,
>>>
>>> Quick security question:
>>>
>>>
>>> Does anyone (bother) to use the Linux (POSIX) capabilities
>attributes
>>> for securing/restricting (system/admin/user) utilities ?
>>>
>>> Or is it SELinux all the way?
>>>
>>> Or is it just hope and prey? (Deliberate pun there :-P )
>
>
>> Do you run untrusted software as uid 0 or make suid executables
>writable by world? :))) restricting capabilities makes sense for
>privileged containers that are exposed to untrusted networks and
>devices. I prefer unprivileged containers so don't have to use
>capabilities.
>
>
>OK... So a quick check on one of my systems for suid executables gives:
>
># find /bin /usr /sbin -type f -perm /a=s -print
>/bin/umount
>/bin/passwd
>/bin/mount
>/bin/ping
>/bin/su
>/usr/libexec/lockspool
>/usr/libexec/dbus-daemon-launch-helper
>/usr/bin/gpasswd
>/usr/bin/chage
>/usr/bin/man
>/usr/bin/netselect
>/usr/bin/newgrp
>/usr/bin/chfn
>/usr/bin/expiry
>/usr/bin/cgexec
>/usr/bin/dotlockfile
>/usr/bin/atop
>/usr/bin/chsh
>/usr/bin/mutt_dotlock
>/usr/bin/crontab
>/usr/sbin/postqueue
>/usr/sbin/postdrop
>/usr/lib64/misc/rssh_chroot_helper
>/usr/lib64/misc/ssh-keysign
>/sbin/mount.nfs
>/sbin/unix_chkpwd
>
>So the "restricting capabilities" looks to be a good idea :-)
>
>
>Interesting note about the use in containers also, thanks.
>
>Cheers,
>Martin
>
>
>-- 
>- ╔═══════════════════╦══════════════════════════════════════════╗
>- ║   Martin Lomas    ║ OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7 ║
>- ║ martin@ ml1 co uk ║ Import from   hkp://subkeys.pgp.net   or ║
>- ║ ----------------- ║ http:// ml1 .co .uk/martin_ml1_co_uk.gpg ║
>- ╚═══════════════════╩══════════════════════════════════════════╝
>
>-- 
>Nottingham mailing list
>Nottingham at mailman.lug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/nottingham

well, then open page 76 in Linux Magazine I gave you in April :)
--
vadim at mankevich.co.uk PGP key fingerprint
0xC046022A3A91455AF0C9BB2404BF882B1905C772
Retrieve from hkps://pgp.mit.edu



More information about the Nottingham mailing list