Debugging and POSIX.1e capabilities

Robert Watson rwatson at FreeBSD.org
Wed Dec 5 17:47:28 GMT 2001 

Right now, a variety of security checks are performed on FreeBSD when some
process (p1) attempts to debug (p2).  We're expanding those tests to take
into account capabilities, and had two concerns we wanted to address:

(1) Does p2 have capabilities (or access to capabilities) that p1 does
    not?

(2) Did p2 have access to capabilities that p1 does not?

We address (1) by simply comparing the capability sets, determining
whether p2's effective and permitted sets are subsets of p1's effective
set.

We address (2) in two ways currently, but are planning to fall back to one
way: right now, we track the "maximum" capabilities a process has gained
access to since the last exec, and do a similar check of the maximum set.
We also abuse the P_ISUGID bit, which gets set during a variety of process
credential upgrades and downgrades in FreeBSD (uids, gids, etc).

Are there any aspects to this that we're missing?  Is this too stringent?
Should we also be checking the inheritable bits of p2?

Finally, CAP_SYS_PTRACE was introduced in the linux-privs implementation.
We borrowed that in the FreeBSD implementation, but are trying to
determine how it should behave.  There appear to be (at least) two
interesting cases:

(1) CAP_SYS_PTRACE could override normal uid-based debugging protections
    of processes: it might allow user bfeldman to debug a process owned by
    rwatson, for example.  (thus bypassing *existing* protections against
    debugging).

(2) CAP_SYS_PTRACE could permit a process p1 to debug a process p2 whose
    capability set is *not* a subset of p1's, allowing CAP_SYS_PTRACE to
    be used to gain access to other capabilities not in the set of p1. 

If CAP_SYS_PTRACE does satisfy (2), then it is in practice a magic
capability that gives you access to any other capability, which might not
be desirable.  On other other hand, being able to trace a process by any
uid might (in practice) offer the same ability?

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services


To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list