1 |
Hi everyone, |
2 |
|
3 |
here is my first progress report :). |
4 |
|
5 |
This is the abstract of my project: |
6 |
This project will add a feature to Gentoo to use POSIX-Capabilities |
7 |
instead of setuid/setgid, which would be a security enhancement. Gentoo |
8 |
allows some security features already and Capabilities will make a |
9 |
useful addition. |
10 |
The user will be able to choose, if he/she wants to use Capabilities by |
11 |
setting a USE-Flag or selecting an appropriate profile. |
12 |
|
13 |
For those of you, who wonder what these capabilities are and how one |
14 |
uses them, I included some interesting links at the bottom, have fun :). |
15 |
|
16 |
I use git-hub [1] for my project and use the wiki there for some more |
17 |
detailed status-reports. I also started a blog, which you can find here [2]. |
18 |
|
19 |
So, getting to the point, what did I do this week: |
20 |
I started implementing the ebuild-helper (fcaps), which will be used to |
21 |
set the capabilities. |
22 |
So far it can do: |
23 |
- set a single capability |
24 |
- add =ep to add the capability to the effective and permitted set |
25 |
- detect if the capability got set correctly |
26 |
- set fallback permissions, if the capability couldn't be set |
27 |
|
28 |
To see how fcaps behaves I used the net-misc/iputils ebuild. Since I |
29 |
already knew which capability ping needs, I started with ping. I put the |
30 |
call to fcaps in pkg_postinst(), because the capability gets lost, if |
31 |
the binary is copied out of the sandbox. There are mechanisms to keep |
32 |
these kinds of attributes, so if there are objections to setting |
33 |
capabilities outside the sandbox, I will look into these mechanism. As |
34 |
far as I know there has already been some work done by the portage team |
35 |
to preserve these attributes. |
36 |
|
37 |
Maybe you would like to know how a call to fcaps looks like at the |
38 |
moment? Here it is: |
39 |
fcaps uid:gid file-mode capability path/to/binary |
40 |
For example: |
41 |
fcaps root:root 4711 cap_net_raw /bin/ping |
42 |
|
43 |
The uid:gid and file-mode are needed for the fallback-mechanism. |
44 |
|
45 |
Next week I will implement the ability to set more than one capability, |
46 |
test fcaps with different filesystem and kernels and find out how to |
47 |
properly produce ebuild-output, so I can inform the user, if the |
48 |
capabilities couldn't be set. |
49 |
|
50 |
So that's it for now, if you have questions or suggestions, feel free to |
51 |
mail me :). |
52 |
|
53 |
Cheers, |
54 |
Constanze |
55 |
|
56 |
[1] http://github.com/constanze/GSoC2010_Gentoo_Capabilities |
57 |
[2] http://coupleprogramming.eu/blog/?cat=3 |
58 |
|
59 |
Some interesting links about capabilities: |
60 |
http://www.linuxjournal.com/magazine/making-root-unprivileged |
61 |
http://linux.die.net/man/7/capabilities |
62 |
http://www.ibm.com/developerworks/library/l-posixcap.html |
63 |
http://www.friedhoff.org/posixfilecaps.html |