I post this following the issue (a bit offtopic) of linux kernel
capabilities just in 2.1.x.
Andrea[s] Arcangeli
---------- Forwarded message ----------
Date: Thu, 25 Jun 1998 01:30:05 +0200 (MET DST)
From: MOLNAR Ingo <[EMAIL PROTECTED]>
To: Alan Cox <[EMAIL PROTECTED]>
Cc: Doug Elznic <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Re: Secure-linux and standard kernel
On Thu, 25 Jun 1998, Alan Cox wrote:
> > I am very interested in securing the kernel and user level programs. What
> > types of security measures are being worked on within the standard kernel?
>
> 2.1.x has the beginning work for capabilities. It needs fs support in 2.3
> to be wonderful
if 'ping' is setuid root and the first thing say ping.c does is:
drop_cap(ALL_BUT_RAWSOCKET);
then we have all the safety needed. It's less sexy than:
[mingo@hal mingo]$ ls -l /bin/ping
-rwxr-xr-x (CAP: net_raw) 1 root root 14148 Oct 30 2003 /bin/ping
but is just as secure if carefully designed. (eg. it should _really_ be
the first thing done, presumably the binary startup code has to be
modified)
btw, in some sense it's even more secure, capabilities are 'embedded
permanently in the binary' and an admin cannot mis-configure the system.
Also, it integrates the responsibility of aquiring capabilities with the
source code itself, which isnt a bad concept either. We might want to
modify 'ls' to look at the file if it's setuid root, and display fancy
stuff if the binary is in 'secure capabilities mode'. [I'm not sure how
this whole concept could be implemented best though.]
-- mingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
