1 |
On 26/01/2013 08:46, Mike Frysinger wrote: |
2 |
> |
3 |
> at least, this is all my understanding of things. i could be completely |
4 |
> wrong, so feel free to correct something if you notice it. |
5 |
|
6 |
All looks good to me, but just because somebody is going to wonder this |
7 |
I would add a few words: |
8 |
|
9 |
While this is basically the same underlying idea of selinux and rbac, it |
10 |
is much more limited in scope. In particular instead of telling each |
11 |
program exactly what they can or cannot do, we're giving them a broad |
12 |
spectrum of privileges (but much narrower than what a setuid root |
13 |
program would have). This is both less rewarding in term of security, |
14 |
and less headache-prone. |
15 |
|
16 |
Indeed most of the capabilities currently allowed are pretty much "do |
17 |
something almost like root" — so for instance `tcpdump` needs |
18 |
CAP_NET_ADMIN that does... almost everything with the network, while |
19 |
`ping` would just use CAP_NET_RAW and be able to send out the ICMP ECHO |
20 |
packets just fine. A web server, or any other server using privileged |
21 |
TCP/UDP ports (<1024) would need instead CAP_NET_BIND_SERVICE. |
22 |
|
23 |
All these settings allow tools to run as users who generally don't have |
24 |
said capabilities, and yet be able to execute higher-level features. As |
25 |
Mike said, this is just to replace setuid (and if you got selinux, you |
26 |
go one step further because you can for instance give |
27 |
CAP_DAC_READ_SEARCH to a tool, but also verify that it doesn't go |
28 |
randomly reading stuff out of an user's home. |
29 |
|
30 |
There's also a different kind of capabilities, in theory, relating to |
31 |
users instead and using PAM — but I never got to get it working :( |
32 |
|
33 |
-- |
34 |
Diego Elio Pettenò — Flameeyes |
35 |
flameeyes@×××××××××.eu — http://blog.flameeyes.eu/ |