Home_greyopenFATE - openSUSE feature tracking > #307254
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

Use POSIX capabilities instead of suid

Feature state

openSUSE-11.3
Rejected Information
openSUSE-11.4
Marketplace

Description

Use POSIX file capabilities instead of suid processes and running e.g. Apache as root:

Status: fscaps support is available at packaging level via /etc/permissions. See iputils as example how to do it.

Discussion


icons/user_comment.png J. E. wrote: (8 years ago)

Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less.

icons/user_comment.png P. B. wrote: (8 years ago)

No question, it's a mid term objective. And not exactly trivial to solve either.

I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;)

icons/user_comment.png C. R. wrote: (7 years ago)

I have enabled support for file capabilities in rpm using the %caps() macro in factory

However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? 

icons/user_comment.png L. N. wrote: (7 years ago)

Before we can use fscaps in packages...

  1. we need a mechanism that handles fscaps similar to /etc/permissions
  2. we need an rpmlint check
  3. binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries
icons/user_comment.png L. N. wrote: (7 years ago)

Are we absolutely sure that 11.4 does support file capabilities by default?

I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps.

Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot.

icons/user_comment.png C. R. wrote: (7 years ago)

It is disabled by default.. have to boot with  file_caps=1  .. does anyone know why is that ? 

icons/user_comment.png A. J. wrote: (7 years ago)

Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/

icons/user_comment.png L. N. wrote: (7 years ago)

yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps.

See home:lnussel:fscaps for current state

icons/user_comment.png S. L. wrote: (7 years ago)

I doubt Posix Capabilities is more secure. Imagine, that program still is runned on user privileges + some capabilties. User can debug program, changing memory of it, etc.

icons/user_comment.png R. D. wrote: (7 years ago)

The escalation of privilege is still controlled in way a suid root program would be, they have however a finer grained "just enough" level of privilege rather than the whole shebang.
Suppose you find a way to overwrite stack in ping(1), if that does not permit you a root shell, but simply a privileged socket it is much harder to exploit the flaw in the program.

You are right, capabilities should not be given to user owned programs.

icons/user_comment.png S. L. wrote: (7 years ago)

Maybe PolicyKit team will add support of PCaps to PKexec? In this case any process can run process with some capabilities, but also in different process group.

icons/user_comment.png L. N. wrote: (7 years ago)

fscaps support is now implemented in the permissions package. See ping in package iputils as example.

icons/user_comment.png K. K. wrote: (7 years ago)

I proposed to look at this idea into GSOC ideas wiki page. We are looking for mentors so if anyone wants to help, please add your name in the wiki page (http://en.opensuse.org/openSUSE:GSOC_2011_Ideas )

icons/user_comment.png L. N. wrote: (6 years ago)

I had to disable fscaps support again as last minute change for 12.1 since tar doesn't support fscaps but is used by kiwi to create images. Resulting appliances therefore don't work.

icons/user_comment.png C. M. wrote: (5 years ago)

What's the current state?

icons/user_comment.png C. R. wrote: (5 years ago)

Well, according to
https://bugzilla.redhat.com/show_bug.cgi?id=771927 it is fixed, another better option is just to dump gnu tar and use bsdtar which is able to preserve capabilities just fine.

Last change: 5 years ago
Voting
Score: 13
  • Negative: 1
  • Neutral: 2
  • Positive: 14
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint