| 1 |
On 26/01/2013 08:46, Mike Frysinger wrote: |
| 2 |
> |
| 3 |
> at least, this is all my understanding of things. i could be completely |
| 4 |
> wrong, so feel free to correct something if you notice it. |
| 5 |
|
| 6 |
All looks good to me, but just because somebody is going to wonder this |
| 7 |
I would add a few words: |
| 8 |
|
| 9 |
While this is basically the same underlying idea of selinux and rbac, it |
| 10 |
is much more limited in scope. In particular instead of telling each |
| 11 |
program exactly what they can or cannot do, we're giving them a broad |
| 12 |
spectrum of privileges (but much narrower than what a setuid root |
| 13 |
program would have). This is both less rewarding in term of security, |
| 14 |
and less headache-prone. |
| 15 |
|
| 16 |
Indeed most of the capabilities currently allowed are pretty much "do |
| 17 |
something almost like root" — so for instance `tcpdump` needs |
| 18 |
CAP_NET_ADMIN that does... almost everything with the network, while |
| 19 |
`ping` would just use CAP_NET_RAW and be able to send out the ICMP ECHO |
| 20 |
packets just fine. A web server, or any other server using privileged |
| 21 |
TCP/UDP ports (<1024) would need instead CAP_NET_BIND_SERVICE. |
| 22 |
|
| 23 |
All these settings allow tools to run as users who generally don't have |
| 24 |
said capabilities, and yet be able to execute higher-level features. As |
| 25 |
Mike said, this is just to replace setuid (and if you got selinux, you |
| 26 |
go one step further because you can for instance give |
| 27 |
CAP_DAC_READ_SEARCH to a tool, but also verify that it doesn't go |
| 28 |
randomly reading stuff out of an user's home. |
| 29 |
|
| 30 |
There's also a different kind of capabilities, in theory, relating to |
| 31 |
users instead and using PAM — but I never got to get it working :( |
| 32 |
|
| 33 |
-- |
| 34 |
Diego Elio Pettenò — Flameeyes |
| 35 |
flameeyes@×××××××××.eu — http://blog.flameeyes.eu/ |
Archives