Protecting processes,binaries with capabilities
Robert Watson
rwatson at FreeBSD.org
Tue Aug 8 16:10:24 GMT 2000
So, I've been working on the capability-enabled TrustedBSD environment,
and wanted to briefly raise the issue of protection of privileged
processes. In the standard BSD environment, processes that spawn from
setuid/setgid binaries, or have previously had privilege (started with
uid0) are protected from some amount of interference from other processes
without privilege, even if they have the same uid. Typically, this
protection involves preventing debugger access to the process, access to
its address space via /proc, limiting of signals that can be delivered,
etc.
Right now, I afford the same protection to processes executed with
capability, or that have held capability. However, I'd like to get some
clarification on how other platforms handle this protection. In
particular, in what situations is it safe to give up the protection -- I
allow recently exec'd processes to lose "sugid" protection if their
current capability set is empty for all of
{permitted,effective,inheritable}.
In my current implementation, capabilities on a binary are not removed
when the binary is modified, unlike setuid/setgid support. Due to the
current layering and implementation of extended attributes, adding that
support will take a little bit, but presumably is a good idea. Do other
platforms currently strip capabilities when the binary is modified?
(I must say it is quite satisfying to run ping with CAP_NET_RAW instead of
setuid :-).
Robert N M Watson
robert at fledge.watson.org http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list