[Nottingham] Linux (POSIX) capabilities attributes

Martin martin at ml1.co.uk
Thu May 25 15:07:02 UTC 2017


On 18/05/17 18:36, VM wrote:
> oh, I thought security meant removing capabilities rather than adding. :) i find the topic quite interesting so I'm already impatiently waiting at the Angel.

In summary:

Overly convoluted into impractical complexity.



So... We have...

A sort of reference to the Linux capability system
http://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbcf62fd5d3472562540a7e608ce4e#p10271

Inheriting capabilities -
Linux capabilities have long been seen as a way to avoid setuid programs
https://lwn.net/Articles/632520/

google/capsicum-linux
Linux kernel with Capsicum support
https://github.com/google/capsicum-linux


Some key comments in that lot are:

"As of Linux 2.6.37, there are 35 capabilities which exist with the
intent to split up the privilege associated with UID 0."

"File capabilities have yet to be fully utilized in any distro"

"... [Security-wise] That's 19 [out of the] 35 capabilities equivalent
to full root..."

"The POSIX [capabilities] scheme is workable, but given that it's 20
years old and hasn't developed real traction it's hard to call it
successful."

"Capsicum introduces a new kind of file descriptor, a capability file
descriptor... Capsicum also introduces capability mode..."

"... there are a number of barriers in the way of using capabilities on
Linux systems. They are complex to reason about, have an API that is
difficult to use, and have been inconsistently applied over the years.
... For good or ill, capabilities are part of the kernel ABI and are
thus likely to be with us "forever". Changes like the ambient set may
not reduce the complexity at all, but may help provide a more usable
capabilities system going forward."



My take on all that is that the use of capabilities is a nice idea but
the implementation is overly convoluted into impractical complexity.

And even if used, there are too many security holes open for exploit!



One to hold off on until further development or new developments arrive.

Cheers,
Martin



-- 
- ╔═══════════════════╦══════════════════════════════════════════╗
- ║   Martin Lomas    ║ OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7 ║
- ║ martin@ ml1 co uk ║ Import from   hkp://subkeys.pgp.net   or ║
- ║ ----------------- ║ http:// ml1 .co .uk/martin_ml1_co_uk.gpg ║
- ╚═══════════════════╩══════════════════════════════════════════╝



More information about the Nottingham mailing list