-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/21/2010 11:47 AM, Colin Walters wrote:
Pardon the thread necromancy,
So recently I had cause to look at http://fedoraproject.org/wiki/Features/RemoveSETUID again (I was investigating the X server permissions for an unrelated reason).
Now, that page links to http://people.redhat.com/sgrubb/libcap-ng/index.html
which attempts to explain the value of capabilities, etc. I was following along on all of this, and I understand that capabilities have some (non-negligible) value if you don't have e.g. cap_sys_admin. But then I got to the point where it says:
"But they still have uid 0, which typical system installation allows root to do things. For example, /bin/sh is 0755 and /bin is also 0755 perms. A disarmed root process can still trojan a system. But what if we got rid of all the read/write permissions for root?"
So...right, "we can do these small changes, and then if we do this BIG CHANGE, it all works!". But this feature doesn't include BIG CHANGE, and there are no plans to, right? Or is chmod u-rwx g-rwx on the root filesystem really in the cards?
Now, https://fedoraproject.org/wiki/Features/LowerProcessCapabilities appears to claim 100% completion on this for Fedora 12, but none (?) of it happened?
File capabilities just limit the number of capabilities an application starts with. setuid app means an app starts with all 32, a couple of new ones, capabilities. Then it is up to the app developer to drop the capabilities when the app is done using them. Going to file capabilities just limits the capabilities an application starts with to the specified capabilities. The application developer should still drop the capabilities once they no longer need them. It helps in the case of a bug in an application, that does not drop capabilities.