Protecting processes,binaries with capabilities
Casey Schaufler
casey at sgi.com
Tue Aug 8 16:30:24 GMT 2000
Robert Watson wrote:
>
> So, I've been working on the capability-enabled TrustedBSD environment,
> and wanted to briefly raise the issue of protection of privileged
> processes. In the standard BSD environment, processes that spawn from
> setuid/setgid binaries, or have previously had privilege (started with
> uid0) are protected from some amount of interference from other processes
> without privilege, even if they have the same uid. Typically, this
> protection involves preventing debugger access to the process, access to
> its address space via /proc, limiting of signals that can be delivered,
> etc.
We do the same on Irix. We also enforce rules regarding shared
library paths, which some people dislike.
> In my current implementation, capabilities on a binary are not removed
> when the binary is modified, unlike setuid/setgid support. Due to the
> current layering and implementation of extended attributes, adding that
> support will take a little bit, but presumably is a good idea. Do other
> platforms currently strip capabilities when the binary is modified?
Irix doesn't, but it's a bug, and we've got someone working on a
fix for it.
--
Casey Schaufler Manager, Trust Technology, SGI
casey at sgi.com voice: 650.933.1634
casey_p at pager.sgi.com Pager: 888.220.0607
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list