| 1 |
Hi everyone, |
| 2 |
|
| 3 |
here is my first progress report :). |
| 4 |
|
| 5 |
This is the abstract of my project: |
| 6 |
This project will add a feature to Gentoo to use POSIX-Capabilities |
| 7 |
instead of setuid/setgid, which would be a security enhancement. Gentoo |
| 8 |
allows some security features already and Capabilities will make a |
| 9 |
useful addition. |
| 10 |
The user will be able to choose, if he/she wants to use Capabilities by |
| 11 |
setting a USE-Flag or selecting an appropriate profile. |
| 12 |
|
| 13 |
For those of you, who wonder what these capabilities are and how one |
| 14 |
uses them, I included some interesting links at the bottom, have fun :). |
| 15 |
|
| 16 |
I use git-hub [1] for my project and use the wiki there for some more |
| 17 |
detailed status-reports. I also started a blog, which you can find here [2]. |
| 18 |
|
| 19 |
So, getting to the point, what did I do this week: |
| 20 |
I started implementing the ebuild-helper (fcaps), which will be used to |
| 21 |
set the capabilities. |
| 22 |
So far it can do: |
| 23 |
- set a single capability |
| 24 |
- add =ep to add the capability to the effective and permitted set |
| 25 |
- detect if the capability got set correctly |
| 26 |
- set fallback permissions, if the capability couldn't be set |
| 27 |
|
| 28 |
To see how fcaps behaves I used the net-misc/iputils ebuild. Since I |
| 29 |
already knew which capability ping needs, I started with ping. I put the |
| 30 |
call to fcaps in pkg_postinst(), because the capability gets lost, if |
| 31 |
the binary is copied out of the sandbox. There are mechanisms to keep |
| 32 |
these kinds of attributes, so if there are objections to setting |
| 33 |
capabilities outside the sandbox, I will look into these mechanism. As |
| 34 |
far as I know there has already been some work done by the portage team |
| 35 |
to preserve these attributes. |
| 36 |
|
| 37 |
Maybe you would like to know how a call to fcaps looks like at the |
| 38 |
moment? Here it is: |
| 39 |
fcaps uid:gid file-mode capability path/to/binary |
| 40 |
For example: |
| 41 |
fcaps root:root 4711 cap_net_raw /bin/ping |
| 42 |
|
| 43 |
The uid:gid and file-mode are needed for the fallback-mechanism. |
| 44 |
|
| 45 |
Next week I will implement the ability to set more than one capability, |
| 46 |
test fcaps with different filesystem and kernels and find out how to |
| 47 |
properly produce ebuild-output, so I can inform the user, if the |
| 48 |
capabilities couldn't be set. |
| 49 |
|
| 50 |
So that's it for now, if you have questions or suggestions, feel free to |
| 51 |
mail me :). |
| 52 |
|
| 53 |
Cheers, |
| 54 |
Constanze |
| 55 |
|
| 56 |
[1] http://github.com/constanze/GSoC2010_Gentoo_Capabilities |
| 57 |
[2] http://coupleprogramming.eu/blog/?cat=3 |
| 58 |
|
| 59 |
Some interesting links about capabilities: |
| 60 |
http://www.linuxjournal.com/magazine/making-root-unprivileged |
| 61 |
http://linux.die.net/man/7/capabilities |
| 62 |
http://www.ibm.com/developerworks/library/l-posixcap.html |
| 63 |
http://www.friedhoff.org/posixfilecaps.html |
Archives