Mastering POSIX File Capabilities

An anonymous reader passes along an IBM DeveloperWorks article on POSIX file capabilities, which have recently become available in the Linux kernel; they are expected in the mainline kernel by 2.6.24. POSIX file capabilities parcel out root user powers into smaller privileges. The article details how to program using file capabilities and how to switch on the ability of a system's setuid root binaries to use file capabilities.

At last

[Cally]

This is IMHO one of the very few areas where Windows has had an advantage over Linux. NTFS ACLs have been this granular since, what, 1993?

Re:At last

La la la! I can't hear you, la la la!

In all fairness, when I first moved completely to Linux from Windows, I was amazed that I had no granular control over files. I've made it work since then, and have gone beyond what Windows can do via SELinux, but still, I shouldn't need to employ a full time security guy to admin my SELinux machines just so I can get one feature.

Re:At last

Nope, I don't think you read and/or understood the article. This has nothing to do with file permissions it affects what 'capabilities' the resulting process has when it is executed. As far as I know Windows does not have anything similar. As for NTFS style ACLs those have been around for a while, google for POSIX ACLs.

Re:At last

[PenisLands]

Yes. Now in a year or so, Linux will be ready for the desktop. 2008 is the year of Linux on the desktop!

Re:At last

Windows does have the same concepts but it pales in comparison. Capabilities on Windows are purpose built rather than generic capabilities which further limits its value on Windows.

Re:At last

[joel48]

POSIX ACLs have been around for a while, but they don't address what the parent was referring to. POSIX ACLs allow extending beyond the standard user, group and other items, allowing multiple of each - but they still only allow the standard four digit octal permissions.

The NT ACLs have that capability, but much deeper granularity (write vs. append, replace, etc). Note that NFSv4 has similar granularity - but they are definitely not simple POSIX ACLs (there needed to be explicit support added to attempt to synchronize between them).

Re:At last

[rabtech]

Actually it does have similar mechanisms, in a way. Every process has a security token that determines what the process can and can't do. The main problem is that Windows doesn't really expose a good way to alter these permissions when the program is launched - it picks up whatever rights and permissions the user has. Runas is a good way around this, but there is no fundamental reason Windows couldn't let you right-click an exe, go to a permissions tab, and uncheck various permissions... like communicating over the network.

Re:At last

[Jaime2]

.Net programs have a feature called "Code Access Security" that give an executable a very specific set of permissions. For example -- by default, you cannot run a .Net program that does anything beyond create windows if you launch it from a network share or the Internet. This was introduced in 2001.

Re:At last

[jafac]

Both .net and COM/DCOM models have a different security layer allowing programs to have different privileges than the user. You can expose the configuration for this in "dcomcnfg.exe" -

Not the correct comparison.

[Junta]

Linux has had filesystem ACLs for ages (arbitrary lists of people with sets of permissions above and beyond user/group/world permissions).

This is essentially a finer-grained setuid. I.e., before, the filesystem permission granularity was 'the /bin/ping program code is permitted to assume root privileges', because ping needed to do *one* thing that only root could do. Code in this position is generally thoroughly audited and such, but presume for a moment a user figured out a buffer overflow using some ICMP pattern that would cause ping to execute arbitrary code. If not written correctly, the results could be disasterous. If well written, the program code has dropped all but the capability it needed, but the kernel/permissions aren't forcing the issue so the code must be trusted.

Enter this mechanism. Now, you can *force* the issue in the filesystem permissions to never even possibly allow ping anything but what it needed. If ping was badly written to not drop any privileges, and a malicious user overflowed, he'd still only be able to create raw sockets, and nothing more.

This sort of complexity I'm not sure is dealt with in Windows (or how) I don't even know what may or may not need setuid to be a good example under their architecture. It certainly paves the way for future distributions to have a lot fewer setuid programs to worry about (though, on the flip side, programs with few enhanced capabilities may still be dangerous and yet be less obvious as it isn't setuid, file listing may have to be tweaked to reflect the kinda-setuid nature to leave awareness).

Re:Not the correct comparison.

[Cally]

Linux has had filesystem ACLs for ages (arbitrary lists of people with sets of permissions above and beyond user/group/world permissions). News to me... ~ $ ls -l /etc total 1302 -rw-r--r-- 1 root root 15069 Feb 24 2006 a2ps.cfg -rw-r--r-- 1 root root 2563 Feb 24 2006 a2ps-site.cfg drwxr-xr-x 4 root root 1024 Feb 19 2007 acpi/ -rw-r--r-- 1 root root 46 Dec 21 20:58 adjtime drwxr-xr-x 2 root root 2048 Aug 10 11:51 alternatives/ [.... etc ...] Sure looks like 3 sets of rwx to me...

Re:Not the correct comparison.

[dkf]

If ping was badly written to not drop any privileges, and a malicious user overflowed, he'd still only be able to create raw sockets, and nothing more. You are aware just how much mischief they'd be able to do like that? For example, synthesizing ARP packets...

RBAC, Anyone?

[BrainInAJar]

Wow, they've invented a neutered version of RBAC.

way to be innovative.

Re:RBAC, Anyone?

[amorsen]

RBAC has been in Linux for a long time, in the form of SELinux. The new thing is that you can store the privileges in the file system. The advantage is that you don't need to modify your formerly set-uid applications, so it is easier on the system administrator. The disadvantage is that you don't need to modify your applications, so any security vulnerabilities caused by running with a lower privilege (yes, that is possible) might not be discovered by the good guys first.

Re:RBAC, Anyone?

GRSec and RSBAC add RBAC capabilities to linux too, and RSBAC through a couple modules could set limits on suid/normal execution and store the information on a file system directory accessible only by the kernel. POSIX compatibility seems new.

Re:RBAC, Anyone?

Others, it's "Role Based Access Control". It's appears only once in the Sun page as well, hidden in page navigation.

I had no idea what it is, and it's bad manners to throw around acronyms without once explaining them. (Unless it's a name like NSA or FBI.)

Systrace?

[RAMMS+EIN]

How do POSIX capabilities compare to systrace?

Re:Systrace?

systrace(4) exports certain (limited) operations to the user-land for filtering. It has been removed from NetBSD and will hopefully be removed from OpenBSD, as it's broken and, even if it weren't, poorly documented and poorly understood. Capabilities are implemented in-kernel; they usually suffer the same limitations. Both of them are "border-control" for a processes requesting resources and allow a process's credentials to be finely cross-checked for access rights.

Recently become available?

[RAMMS+EIN]

Quoth the summary:

``POSIX file capabilities, which have recently become available in the Linux kernel; they are expected in the mainline kernel by 2.6.24.''

Recently become available? Haven't POSIX capabilities been in Linux for some time? I seem to recall reading about them in the documentation for some 2.4 kernel, and there is a Gentoo page about them from some time in 2005. Am I missing something?

Re:Recently become available?

[RAMMS+EIN]

I just looked at the capability.h on my system, and it has

#define _LINUX_CAPABILITY_VERSION 0x19980330

This suggests to me that Linux has had capabilities since 1998 at least...

Re:Recently become available?

[xSauronx]

*waves hand in front of you* this is not the capabilities you are looking for.

Re:Recently become available?

[Junta]

POSIX capabilities are old, the ability to store which capabilities are permitted just like ACLs/owner/permission is new.

So before, ping gets executed and it's up to ping code to assume/give up unneeded POSIX capabilities as permitted by the rather broad setuid bit. Now, it's execed only with the appropriate capabilities even being possible, without needing the rather broad setuid bit being set. Setuid can be safe with effort, but if the program can operate under a more specific security context, all the better.

Re:Recently become available?

[RAMMS+EIN]

Ah, I see now that I _was_ missing something.

What is new is not that Linux has POSIX capabilities.

What is new is that you can store a description of the capabilities an executable is to receive _on the executable_.

Re:Recently become available?

[jd]

Patches for POSIX ACLs have existed for some time. Patches for controls in excess of POSIX have also existed for some time. Some filesystems have also supported ACLs (POSIX or their own) for some time, independently of the rest of the kernel. Linux also has very sophisticated security modules, including Linux capabilities and SELinux.

Linux having full POSIX capabilities is good, but frankly there are getting to be too many wholly independent security mechanisms. That's not to say that a single system would be good for everyone, but rather there should be only a few fundamental mechanisms which can be skinned to look like any of the "standard" mechanisms. The skins would then replace most of the implemented mechanisms, they would merely be configuration details. This reduces the possibility of insecurity by having too many opportunities for bugs, without limiting the system admins.

The biggest problem I see with the current system is that it isn't comprehensive. There's no easy way to provide trusted computing to memory (especially shared on the system, distributed or otherwise networked), security models generally don't work over clusters (eg: migrating a process from one machine to another won't necessarily migrate security labels or permissions), VNIC and Infiniband cards can RDMA direct into and out of memory without reference to security models, etc. This isn't a Linux problem, per se, in most cases. It's a hardware problem. Hardware is designed to be insecure, by design, and there is nothing any OS can do about such limitations.

Re:Recently become available?

[audi100quattro]

There are too many security mechanisms, and apart from those offered as patches, it's the distro that decides what you end up with. Some have multiple options, most don't. I use grsec/PaX with TPE to run all internet programs under a different user which can't execute anything except what's installed in /usr/bin. Combined with building all those internet programs using -fstack-protector-all on gentoo and restrictive user/group permissions on important directories, I think it's pretty good security without ACL's, LSM, SELinux etc.. (Change the user mask in /etc/profile to 002 and it's very desktop-friendly) Granted, I can't use Mono or WinE or pretty much any VMware/VirtualBox/qemu/etc program without turning PaX off, but there are a couple ways around that too. There might be a trade-off between performance and security to some limited extent, and the reason why stuff doesn't run as easily on OpenBSD/FreeBSD is because of their PaX-like memory protection, but the bigger trade-off between all the different security systems is trying to secure not-written-in-the-best-way programs vs. not running those programs at all and finding alternatives. I think LSM and it's ilk were made to secure things like WinE and Mono, now if only they were offered as patches and some easy to install utilities on any distro.

Re:Recently become available?

[cocacoch]

... but not for you as a user or admin usable to secure your system. Ideas how to use it: http://www.friedhoff.org/fscaps.html

Re:Recently become available?

[angus_rg]

int Yes = setreuid(owned, biatch);

Re:Recently become available?

[icedevil]

The biggest problem I see with the current system is that it isn't comprehensive. There's no easy way to provide trusted computing to memory (especially shared on the system, distributed or otherwise networked), security models generally don't work over clusters (eg: migrating a process from one machine to another won't necessarily migrate security labels or permissions), VNIC and Infiniband cards can RDMA direct into and out of memory without reference to security models, etc. This isn't a Linux problem, per se, in most cases. It's a hardware problem. Hardware is designed to be insecure, by design, and there is nothing any OS can do about such limitations.

I would agree in general, however most cluster environments that I've dealt with are not very concerned about internal security (i.e. everyone with access is trusted, and working on similar things.) They tend to be more interested in external security, gaining access to the cluster from an external system. Many times these clusters are on private networks for this very reason. Now a grid situation poses a more difficult challenge as you often times have many systems with different staff (of varying levels of experience) maintaining the systems, with many semi-trusted users on a system at any given time.

Again, not disagreeing or saying your points aren't valid, just pointing out what I've seen in practice.

Re:Recently become available?

anyone have a link to the list of capabilities now allowed ( couldn't see that in the article)

Re:Recently become available?

[jd]

Oh, I completely agree that that is what is done in practice. However, I think it's stupid and naive - even if you completely trust all the users, you can't trust all of the users' applications to be so bug-free all the time that they don't disrupt the system or delete critical files. For that matter, from the earliest known AT&T malware to computer viruses, malware has got itself added without the knowledge of users onto software.

If you want to get a bit more paranoid, the sorts of companies using high-end clustering and HPC systems tend to be cut-throat, and viruses are cheaper to develop than products. I'm not saying that that has happened, but if you wanted to poach trade secrets, or screw up other people's results, that would seem to be an obvious weak link that would be much easier to hide and sustain than the usual social engineering techniques.

If you want to get really paranoid, social engineering techniques ARE commonly used to break into systems. Unless all of the users undergo lie-detector tests using fMRI on a daily basis, how much should a company trust the users? Whether it's an aerospace corporation, a pharmacutical company or a Formula 1 racing team, the expense needed to pull a few Mitnick-like stunts but with hostile intent would be so insignificant compared to the cost of the projects these businesses do that it would be insane to assume it couldn't happen.

Yes, you are absolutely correct. There are no B3-class clusters, at least not that I know of, and none of the Linux clustering software bothers with security beyond the most basic at the gateway point. HPC hardware generally has little or no support for security of any kind, aiming to maximize throughput. Admirable an desirable, but pointless if it means the results can't be used for anything.

OT: ACLs

[Richard+W.M.+Jones]

Well, the article is about capabilities, not ACLs, and Linux has had ACLs in the filesystem for years too.

To get to the point though: Administrators don't use ACLs on Linux because they make file permissions much harder to understand, for what is in reality an unimportant increase in expressiveness. Simple user/other permissions are easy to understand and work 99% of the time, groups fill in another few cases (eg. permissions on shared sockets), and ACLs are almost never necessary.

SELinux is another "interesting" area. Since I started to use Fedora again, I really wanted to use SELinux. I really did. But because I'm always using Rawhide (the bleeding-edge development version) I've had to turn SELinux off. It's too complex to understand and breaks too often on Rawhide. I'd only recommend it on a stable version (eg. RHEL/Centos) and then just as a final line of defense security measure, not to implement ACLs.

Rich

Re:OT: ACLs

[SmackedFly]

Not completely true. For normal server usage ACLs are excessive, but for file sharing setups they can really save complexity for the user. The user,group,everyone scenario takes some time to wrap your head around. Also, there are lots of scenarios where you just need to make a small change, where unix permissions force you to make lots of changes to change permissions of an object.

The real issue Linux has over Windows is the lack of recursive group support, aka. 'groups of groups', which can really remove the complexity of a setup. Though the nss_ldap module DOES actually add support for it, which happens to be the scenario where it's most useful.

That said, this is about granular setuid, nothing else.

Re:OT: ACLs

[EvanED]

To get to the point though: Administrators don't use ACLs on Linux because they make file permissions much harder to understand, for what is in reality an unimportant increase in expressiveness
For at least one setting -- a school setup -- they are almost vital.

Suppose I am working on a project with one other person from my class, and we need to share files. How can I do that without making them readable and writable by too many people? AFAIK, I can't. I don't think I can create a group without root privileges, so I can't make a group with just the two of us. The best I can do is use the class that this is for, make it readable and writable by everyone in that group, then put the files in some deep directory like ~/classes/cs392/project/project3/working or something. Security by obscurity FTW.

I guess I could write a setuid program to update the files.

Whereas if I have ACLs I can put an ACL on the directory that says he can read and write, but no one else can.

Which of those seems like the best solution to you?

Re:OT: ACLs

Email your administrator and ask for a new project group with the two of you in it, or even better, email your administrator and ask for a new repository/depot/database in whatever SCM system you should be using so you can share your project files correctly.

Re:OT: ACLs

[EvanED]

Yes, so every time I want to do a project, I need to get the admins in on it? Great system. (Fortunately at this point I can just do it myself; my grad school uses AFS which provides the ability for users to manage ACLs. Actually undergrad supposedly provided ACLs, but I tried a little and couldn't get them to work.)

It would have been nice if they provided a good Subversion server we could use, but to my knowledge they didn't. Anyway I was simplifying the above discussion slightly; when doing such a project it was a filesystem-based SVN repository that was shared in the first place, not a working directory. (So you would do something like "svn co file:///home/evaned/subversionrepos/classes/498/project".)

I mastered them...

[m2943]

by not using them. They are some holdover from a time when people thought that VMS was so much better than UNIX because it had so many more features.

The first principle of security is KISS, and they violate this principle big time.

Re:I mastered them...

[audi100quattro]

Yes they do, give me memory/stack protection over POSIX ACL's any day.

Re:I mastered them...

> They are some holdover from a time when people thought that VMS was so much better than UNIX because it had so many more features.

When it comes to security, it was then and is now superior to UNIX.

> The first principle of security is KISS

It's a nice principle to follow for systems designed by amateurs who don't know the first thing about actual principles, yes.

Re:I mastered them...

[dasunt]

It's a nice principle to follow for systems designed by amateurs who don't know the first thing about actual principles, yes.

A system that relies on the administrator being a security guru probably isn't that secure in the real world where most administrators don't have time to become security experts...

Re:I mastered them...

[tuomoks]

You need points! Not that an administrator couldn't be a security guru I have always wondered this whole paradigm that programs have a a control over security, access rights, etc? Isn't that (shouldn't that) be an external function in a system? Sorry, I'm (still) a mainframe person and it doesn't matter if you set supervisory, root, whatever bit in program, you don't get it because it wasn't allowed by system. I like POSIX because it standardizes a lot of coding but IMHO before there are standard methods to control any program externally it is too easy make mistakes.

setuid in windows

AFAIR the default in windows (at least up to vista) was to make EVERYTHING "setuid root", even child games would require root access to RUN (as opposed to installation)

old news

[Tom]

What a misleading article. There are some technical details that are new, but capabilities are extremely old and have been available for Linux for almost a decade. They haven't seen much use, and that's the part that might change, but filing this as a new development is stupid. It'll only invite the windos shills to claim that windos is so much better because they've had granular permissions for sooo long (yes, they had, for about the same time Linux did. same story, almost nobody uses them.)

Re:old news

[IkeTo]

> There are some technical details that are new, but capabilities are
> extremely old and have been available for Linux for almost a decade.

I don't think so. Process capabilities are there for a long time, but file capabilities has not been there (in other words, there is no file system that support letting users to set programs to be "setuid 0, but only allow sending signals to arbitrary processes, without any other special ability of the root user"). Without file capabilities, only programmers can make use of process capabilities, system admins cannot. Since programs are usually written with portability in mind, this means they are never used. With file capabilities, a whole new class of users now can make use of the interface, in particular system admins and distribution maintainers. The article did provide very useful information for them.

Re:old news

POSIX capabilities != POSIX file capabilities, the former is for setting permissions on a running process while the latter for executables on the filesystem. POSIX file capbilities is more like a fine-grained suid bit. The very first sentence of TFA was "Linux® has been using capabilities for years, but has recently acquired POSIX file capabilities".

Re:old news

[cocacoch]

Since the so called sendmail capabilities bug there was no broad use of capabilities. But inside the kernel, capabilities "survived". If a process was asking for a privileged action like opening a privileged port, the process was checked for having the needed capability. As there was no way to grant a process a distinct capability the only way was to start this process in the context of root, who has by definition all capabilities. Now its possible to give the binary the extended attribute capability and if so the resulting process is checked whether it has the needed capability (which is stored inside the xattr capability). Now you don't have to trust the program to reduce its set of capabilities, you can start it with and only with the needed capabilities. So if ping goes wild, it can only open more ports but not - lets say - change your /etc/passwd. Now, there is a mean to eliminate root-owned suid-bit binaries. For examples have a look at my documentation: http://www.friedhoff.org/fscaps.html

Re:old news

[nuzak]

> (in other words, there is no file system that support letting users to set programs to be "setuid 0, but only allow sending signals to arbitrary processes, without any other special ability of the root user"

Doesn't it sound barkingly insane to say "run as a God User except only able to do X, Y, and Z?" Why indeed even have root in the first place? But that's still what these capabilities are -- set a single set of bits in a process (to all zeros no less) and let it do everything, THEN strip out what it can do afterward.

Sane security models that have anything like a superuser don't allow them to do much of anything except adopt a different set of permissions.

Re:old news

[cocacoch]

If you grant the necessary capability, there is no reason to run the binary in the context of root. Just give enough power in the form of capabilities and you don't need and don't have any suid0 progs. Before the you had to rely on the root-started binary to reduce the set of capabilities itself. Now you start the binary in an unprivileged user context with just this needed set of capabilities.

Re:old news

[Monkius]

Well, there was and is broad use, I think. For example, grsecurity (http://www.grsecurity.org/) allow policies to be created wherein policies are granted and revoked to specific processes. Neither modification of programs nor file labelling is required. Selinux of course also allows administrators fine-grained control over capabilities--in a much more comprehensive framework than these file capabilities.

Re:old news

[cocacoch]

I'm accompanying this implementation with documentation and testing of file capabilities since more than a year. My impression is since the usage of capabilities is as simple as storing them in the file system and using the in-kernel infrastructure, there is wider interest in capabilities and more development in this field. Now you can control the power of programs and daemons/server, in a simple and intuitive way. You don't have to trust the program to decrease its capabilities. See here for examples http://www.friedhoff.org/posixfilecaps.html. And you can secure your system without a security infrastructure, of which quite a few people say they are to complicated to be securely applied. If you know people/systems that use capabilities to secure systems, let me know.

Linux ACLs

[sentientbrendan]

>Well, the article is about capabilities, not ACLs, and Linux has had ACLs in the
>filesystem for years too.
Years yes... but they are still fairly new compared to the ACLs that are present in NTFS. Also, ACL's aren't really universal or standardized in linux. SELinux provides ACLs, as does AppArmor, which suze uses. It's kind of hard to adopt a permissions system that works differently between distros and not at all on some.

Which goes to your other point about people not using ACLs in Linux often. This is largely a cultural thing left over from unix, which discarded ACLs in order to save space on the file system, which is now a non issue.

>Administrators don't use ACLs on Linux because they make file permissions much harder
>to understand, for what is in reality an unimportant increase in expressiveness.
You're saying that probably because you've only used single user Linux systems... which kind of defeats the purpose of unix as a multiuser operating system btw. ACLs provide a very important level of expressiveness on a multiuser system.

If user A wants to share files with user B, but no one else (say user A has an SVN repository) without ACL's a special group has to be created and A and B are added as members. This means that something as simple as giving someone else access to your files requires elevation to root! On a large multiuser system, very few users have root access, so it is usually simply impossible. Being able to add an ACL to your file that says "allow user A" solves the problem elegantly.

Linux ACL's have taken a while to arrive and mature, but I've used them a number of times to solve the problem above and I'm glad they are finally here and hope for more consistent support in the future. When you don't need ACL's, they may seem like unnecessary complexity. In that case, feel free to ignore them and use the traditional user/group/other permissions. When you need them though, you will be very glad they are there. Generally, if you really need to do something with ACL's and you try to emulate it with groups, you are likely to open security holes, or make your system unusable for some class of users you didn't think of. ACL's are not the simple solution to the problem, but they are often the only correct solution, which matters a lot to some people.

Re:Linux ACLs

[amorsen]

SELinux provides ACLs, as does AppArmor, which suze uses. It's kind of hard to adopt a permissions system that works differently between distros and not at all on some.

Neither SELinux nor AppArmor provides ACLs. ACLs are discretionary access controls, users can change the permissions. SELinux and AppArmor provide mandatory access control.

ACLs have been in the Linux file systems for ages, and they work exactly the same across distributions. They just aren't used.

Re:Linux ACLs

[rabtech]

Delegation is the key; with ACLs you can delegate rights to any combination of users and groups and have those rights be inherited, either by files, subfolders, or both.

For example you could give CHANGE_PERMISSIONS to CREATOR_OWNER on \Users, to be inherited by subfolders and files only (not Users itself). Then a user can grant other people access to his or her files without having to be root (administrator).

In Windows, it isn't just the filesystem that supports ACLs; processes, kernel objects, etc all support them too. In fact inside the NT kernel everything is a file just like on Unix; ever see a file path given ala "\\?\blahblahblah"? That's an NT Executive path from the root. All volumes, processes, sockets, objects, the registry, etc are mounted here. There's a handy trick where you can delete a file using its kernel path even when Windows says the file is in use, because the kernel isn't what enforces the sharing semantics.

Re:Linux ACLs

[coryking]

This is largely a cultural thing left over from unix, which discarded ACLs in order to save space on the file system Besides being a cultural thing, traditional unix filesystem permissions are far to entrenched for ACL's to take over. Does tar preserve anything but "owner, group, world"? Does Apache cope with ACL's? PHP? In all my travels, I've never once used ACLs or seen them used. Has anybody used them?

The bigger problem with ACL's in unix is the command line isn't a very good way to handle complex permissions. Complex permissions require complex displays. For example, using nothing but text, how do you show that for a given directory, a role gets it's permissions via inheritance, or by being explicitly set for that directory? In a GUI, you'd use a tri-state check box and make them "grey checked" if they inherited the permission. You could do it even in curses. The only place it gets tricky is trying to do it straight on the command line, especially if you say "no color allowed".

Really, the only way for ACL's to catch on is better tools. The only "better tools" are either straight GUI's or something using curses.

Re:Linux ACLs

[ratboy666]

That IS a problem. But it's not the reason ACLs (discretionary access control) isn't used much. Indeed, it isn't used on Windows, either.

The reason(s) its not used are:

1 - too complicated. period.
2 - only NEEDED for 10% or less of the cases. The other 90% is handled nicely by uga permissions.
3 - see (1). Because it's THAT complicated, ACLs cannot be audited. Since the auditing is impractical, its not going to be done. As a DIRECT result, the calculus of ACLs must be such that ACLs can be effectively reasoned about. And with SO many properties in the VMS/Windows world, that ain't happening.

To give you a PRACTICAL example of "ACL failure", let me relate a VMS story. I had set my script that is automatically executed at startup to readable by anyone, and writeable by me. Only. Except that I was a VMS "newbie" (only been using it for a year!) and I hadn't realized that "write" ACTUALLY meant WRITE TO THIS VERSION OF THE FILE.

Think about it -- my default home directory was set to remove the WRITE permission, but CREATE... another story. And, since VMS stores an automatic backup of a file on CREATE (versioning), another user was able to simply CREATE a new startup script in my directory. I was wheeled this way (and schooled, see below). The newly created script sucked my files (executing as me, of course, on my next login). And it then erased itself (now having permission to do so).

The schooling? I tend to like the uga scheme more. There are ONLY 3 permissions to reason about (actually 5), and only 3 classes of users. The permissions are contained.

Anyway, the discussion is about MACs not ACLs, which are a completely different thing. I believe that the NT core tries to apply ACLs to things that are not files (eg. processes). If so, I believe that is a mistake (re-read my horror story above).

Re:Linux ACLs

[ratboy666]

"Years yes... but they are still fairly new compared to the ACLs that are present in NTFS. Also, ACL's aren't really universal or standardized in linux."

Linux ACLs are an implementation of POSIX 1003.1e draft 17. Every Linux. Everwhere. Maybe "still fairly new compared to the ACLs that are present in NTFS" is true.

Re:Linux ACLs

In Windows, it isn't just the filesystem that supports ACLs; processes, kernel objects, etc all support them too. In fact inside the NT kernel everything is a file just like on Unix; ever see a file path given ala "\\?\blahblahblah"? That's an NT Executive path from the root.

Yeah, and Windows is really secure too. Must be working!

Re:Linux ACLs

[fluffy99]

It's only too complicated on Linux. Heck, I'm be thrilled if Samba handled file permissions correctly let you change permissions without having to ssh in and do it as root. No problem though, I run my file servers on Windows where I don't have to mess with such crap.

Goof ups similar to your VMS example are very easy to run into under both Linux and Windows too. Try using the EXT extended attributes to apply acls. A few setuid tools totally ignore them, and they disappear with back and restore. Plus you need to be root to use them in the first place. Another good example is users setting file permissions on a MS Word file. Next time the user saves the document it will assume the default permissions of the folder it's in (because word saves a a temp file, deletes the original and renames the temp file). Maybe I'm making the case that permissions should be kept simple, but there are too many cases where you need complex ones.

Re:Linux ACLs

[sentientbrendan]

>I've never once used ACLs or seen them used. Has anybody used them?
I gave an example of where I've used ACL's in my post (a non root user try to give access to specific others to his files without giving everyone access). I also have run into a lot of other people who hit the same problem, but simply gave up because it couldn't be done without creating a whole new group, which they sometimes couldn't do... I suspect if you haven't noticed the limitations of user/group/everyone bits, you've been trying pretty hard to ignore them.

As you say, 90% of the cases may work without ACL's, but that isn't good enough. You're saying that you're ok with your security model just not working 10% of the time? Maybe you'd be fine with handing out your password to 10% of the people on the internet?

Re:Linux ACLs

[coryking]

I'm not saying ACL's are bad. I think ACL's would be a very useful addition to Linux. Owner,Group,World is just not granular enough for big groups of people. I dont use ACL's on linux because they are just to much of a pain in the ass. I even turn them off on the filesystem so if somebody hacks the box they cannot bury shit in the ACL structure in a way I cannot see it using ls -l (and yes, I know it gives a hint that there are ACL's on a file).

I'm saying in their current state, ACL's are unusable mainly because the tool support for them sucks hard rocks. It is really hard to pull off a good ACL implementation using a 100% green screen command line interface. You need at least color, and even better a rich GUI.

Re:Linux ACLs

Neither SELinux nor AppArmor provides ACLs. ACLs are discretionary access [control lists], users can change the permissions. SELinux and AppArmor provide mandatory access control.

I fail to see a d or m prefix in 'ACL'. ACL's are access control lists. Full stop. Providing access control via list is sufficient to provide ACLs.

Re:Linux ACLs

For example, using nothing but text, how do you show that for a given directory, a role gets it's permissions via inheritance, or by being explicitly set for that directory?

By adding "(inherited)" to the end of the line if appropriate? If you weren't at least one of stupid, lazy or trolling, I'm sure you could have thought of plenty of other ways yourself.

I don't think that's right...

[Junta]

Seeing as how you can make an unprivileged account and those programs are prevented from doing this or that. It's just that all recommendations/forums/etc/etc have *always* said 'always run as an administrator account' because Windows applications as a rule may not be well designed for a well secured environment.

If *everything* was setuid, it wouldn't matter whether you had administrator privilege or not. Also, runas wouldn't be needed for privilege escalation.

stack smashing protection and the sort

http://www.gentoo.org/proj/en/hardened/ (other ways to harden your system are available)
wor
stack smashing
Transparent implementation of PaX address space layout randomizations and stack smashing protections using ELF shared objects as executables.

also regading acl
RSBAC is Mandatory Access Control security system based on the GFAC framework logic. It includes standard models, like the Role Compatibility, Access Control Lists and Mandatory Access Control. RSBAC enforces access control rules on your operating system.

however AFAIK this stuff is only used by super admins because its the oposite of the 10% rule its 90% of the work to get 10% of the protection.

Win32 AdjustTokenPrivileges

[SchroedingersCat]

Windows had this functionality since day one. Lookup AdjustTokenPrivileges() on MSDN

You know what?

[roman_mir]

With my parents using Ubuntu, I must say this:

I hope that by 2008 the desktop will be ready for GNU/Linux.

Unfortunately...

[Junta]

ls is not equipped (as far as I know) for displaying acls.

$ getfacl .
# file: .
# owner: ownaccount
# group: owngroup
user::rwx
group::r-x
other::r-x

That was default, reflecting:
drwxr-xr-x 2 ownaccount owngroup 4096 2007-12-23 12:28 .

$ setfacl -m mythtv:rw .
$ getfacl .
# file: .
# owner: ownaccount
# group: owngroup
user::rwx
user:mythtv:rw-
group::r-x
mask::rwx
other::r-x

And ls shows:
drwxrwxr-x+ 2 ownuser owngroup 4096 2007-12-23 12:28 .

Note the +. It's enough to indicate acl existance, but not more than that.

nope, we "invented" prior to Sun

[r00t]

Years ago, we swiped the idea from SGI's Irix. They seem to have swiped it from Data General's DG-UX.

We implemented everything but the filesystem support. Filesystem support is complicated. It's actually SE Linux that has driven our ability to put arbitrary security markings on files, along with non-security desires for various extended attribute and multi-fork things.

Unfortunately the set of bits was nearly copied from SGI's Irix, where it was botched. The bit choice is inflexible, redundant, and rather small. See, there's this "admin" bit that controls nearly everything...

SGI also botched the math. Well, to excuse them a bit, the POSIX draft (never ratified) went through dramatic changes to the equations a few times.

Really we ought to rip out the trash and clone what Sun has, but that is terribly hard for compatibility. Some programs already deal with the capabilitites. For example, I think sendmail drops capability bits.

right, this actually adds holes

[r00t]

Lots of programs try to limit themselves when run as setuid root. For example, they refuse some kind of user input. If they see that they are NOT running setuid root, then they assume that they have no privilage and that thus there is no need to limit themselves.

Other programs assume that if ONE privileged operation succeeds, then some OTHER privileged operation will also succeed. (because root can traditionally do everything) When that other operation fails unexpectedly, you may get some sort of inconsistant state. Inconsistant state is the playground of an attacker.

With this new feature, both sorts of sloppy programming become security holes.

Re:right, this actually adds holes

[msuarezalvarez]

With this new feature, both sorts of sloppy programming become security holes.

Sloppy programming is security holes.

Assuming the implemenation works fine, then if an app is making the assumption that because it can do X then it can do Y, well, it will find out that it really cannot do Y, and it'll get killed. Then you can fix it. Ah, the tragedy!

Re:right, this actually adds holes

[r00t]

That could be a big problem, commonly a denial-of-service.

Suppose the app takes a lock (or similar) which requires privilege. This succeeds. The app then does something else which requires privilage, and fails.

If the app dies at this point, things are stuck. Hopefully a reboot can clear the problem. Depending on the nature of the app, you may well have database corruption.

BTW, maybe I shouldn't have referred to the first case as sloppy programming. It's perfectly legit on a traditional system that lacks the fancy new features. The resulting security problem has actually happened, with sendmail on Linux.

Re:right, this actually adds holes

[msuarezalvarez]

The resulting security problem has actually happened, with sendmail on Linux

And it was fixed. Ah, the tragedy.

More complexity = less security

[xtronics]

Be afraid of complexity junkies where security is involved.

I've used and supported both Windoze and Unix systems and find that the more complex file permissions are the more likely they are to be simply turned off. The Current Linux system works well enough and users can understand it well enough. These other fixes will only create 10 times the problems they claim to fix.

Re:More complexity = less security

[Just+Some+Guy]

Be afraid of complexity junkies where security is involved.

I don't think that the OpenBSD folks are complexity junkies. OK, I'm not really up on all this stuff, but I think I get the gist of their thinking. Here's what I believe the pro-capabilities people would tell you:

You're advocating a false economy. Sure, capabilities are potentially complex and the implementation is hard to get right. Still, you only have to do it right one time and everything else benefits. In today's situation, we have things like "ping" running setuid root so that it can create raw sockets and Apache launching as root so that it can bind port 80 before dropping privileges.

Instead of counting on one central well-audited capabilities system, you're now counting on two applications to Do The Right Thing under all circumstances. That seems simpler from the perspective of someone who believes that central library to be an unobtainable goal, but a whole lot more complex for someone who thinks that can make capabilities work correctly.

Again, I don't really understand all the implications and haven't wittingly used such a system, but I believe that's the reasoning people give for doing this stuff.

Re:More complexity = less security

[poopdeville]

You're advocating a false economy. Sure, capabilities are potentially complex and the implementation is hard to get right. Still, you only have to do it right one time and everything else benefits. In today's situation, we have things like "ping" running setuid root so that it can create raw sockets and Apache launching as root so that it can bind port 80 before dropping privileges.

Yup. If Debian came out with an apt package that implemented ACLs that just worked with apt, dozens of people around the world would use it. Ubuntu would probably pick it up and turn it on by default (since less flexibility is needed on the desktop), leading to hundreds of people benefitting.

Too much to hope for?

[glwtta]

Does this mean that I'll finally be able to allow servers to bind to port 80, without having to run the whole thing as root? Please?

Apache does pretty well with "downgrading" its running privileges, but many others, not so much.

Re:Too much to hope for?

[Nevyn]

Yes, CAP_NET_BIND_SERVICE is a distinct capability. See "man capabilities" on a Linux box, although you may also want to give it CAP_SYS_CHROOT ... depending on how paranoid you are.

Yes, but...

[Junta]

It's better than the alternative of all-out access. That's why only one security mechanism isn't enough. In your case, if they managed to exploit ping for raw socket access to arp spoof, they could launch a DoS or start a man-in-the-middle attack. Not much can be done with the DoS, but SSL and ssh protocols should guard against the man-in-the-middle if used correctly.

The point is every facility needs to do it's part to mitigate risk security wise. It may be better to provide a facility to do ICMP echo request and forward replies without administrator privilege somehow (if ICMP weren't designed the way it is, it probably would have existed long ago), but this was merely an easy-to-follow example of risk mitigation through restricted capabilities, showing a reduced exposure over the previous practice, not an eliminated exposure..