Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mastering POSIX File Capabilities

Posted by kdawson on from the wee-dram-of-privilege dept.

An anonymous reader passes along an IBM DeveloperWorks article on POSIX file capabilities, which have recently become available in the Linux kernel; they are expected in the mainline kernel by 2.6.24. POSIX file capabilities parcel out root user powers into smaller privileges. The article details how to program using file capabilities and how to switch on the ability of a system's setuid root binaries to use file capabilities.

23 of 80 comments (clear)

  1. Re:At last by Anonymous Coward · · Score: 5, Informative

    Nope, I don't think you read and/or understood the article. This has nothing to do with file permissions it affects what 'capabilities' the resulting process has when it is executed. As far as I know Windows does not have anything similar. As for NTFS style ACLs those have been around for a while, google for POSIX ACLs.

  2. Not the correct comparison. by Junta · · Score: 5, Informative

    Linux has had filesystem ACLs for ages (arbitrary lists of people with sets of permissions above and beyond user/group/world permissions).

    This is essentially a finer-grained setuid. I.e., before, the filesystem permission granularity was 'the /bin/ping program code is permitted to assume root privileges', because ping needed to do *one* thing that only root could do. Code in this position is generally thoroughly audited and such, but presume for a moment a user figured out a buffer overflow using some ICMP pattern that would cause ping to execute arbitrary code. If not written correctly, the results could be disasterous. If well written, the program code has dropped all but the capability it needed, but the kernel/permissions aren't forcing the issue so the code must be trusted.

    Enter this mechanism. Now, you can *force* the issue in the filesystem permissions to never even possibly allow ping anything but what it needed. If ping was badly written to not drop any privileges, and a malicious user overflowed, he'd still only be able to create raw sockets, and nothing more.

    This sort of complexity I'm not sure is dealt with in Windows (or how) I don't even know what may or may not need setuid to be a good example under their architecture. It certainly paves the way for future distributions to have a lot fewer setuid programs to worry about (though, on the flip side, programs with few enhanced capabilities may still be dangerous and yet be less obvious as it isn't setuid, file listing may have to be tweaked to reflect the kinda-setuid nature to leave awareness).

    --
    XML is like violence. If it doesn't solve the problem, use more.
  3. Re:At last by PenisLands · · Score: 3, Funny

    Yes. Now in a year or so, Linux will be ready for the desktop. 2008 is the year of Linux on the desktop!

  4. Recently become available? by RAMMS+EIN · · Score: 2, Interesting

    Quoth the summary:

    ``POSIX file capabilities, which have recently become available in the Linux kernel; they are expected in the mainline kernel by 2.6.24.''

    Recently become available? Haven't POSIX capabilities been in Linux for some time? I seem to recall reading about them in the documentation for some 2.4 kernel, and there is a Gentoo page about them from some time in 2005. Am I missing something?

    --
    Please correct me if I got my facts wrong.
    1. Re:Recently become available? by xSauronx · · Score: 3, Funny

      *waves hand in front of you* this is not the capabilities you are looking for.

      --
      By and large, language is a tool for concealing the truth. -- George Carlin
    2. Re:Recently become available? by Junta · · Score: 4, Informative

      POSIX capabilities are old, the ability to store which capabilities are permitted just like ACLs/owner/permission is new.

      So before, ping gets executed and it's up to ping code to assume/give up unneeded POSIX capabilities as permitted by the rather broad setuid bit. Now, it's execed only with the appropriate capabilities even being possible, without needing the rather broad setuid bit being set. Setuid can be safe with effort, but if the program can operate under a more specific security context, all the better.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    3. Re:Recently become available? by RAMMS+EIN · · Score: 2, Interesting

      Ah, I see now that I _was_ missing something.

      What is new is not that Linux has POSIX capabilities.

      What is new is that you can store a description of the capabilities an executable is to receive _on the executable_.

      --
      Please correct me if I got my facts wrong.
    4. Re:Recently become available? by jd · · Score: 2, Insightful
      Patches for POSIX ACLs have existed for some time. Patches for controls in excess of POSIX have also existed for some time. Some filesystems have also supported ACLs (POSIX or their own) for some time, independently of the rest of the kernel. Linux also has very sophisticated security modules, including Linux capabilities and SELinux.

      Linux having full POSIX capabilities is good, but frankly there are getting to be too many wholly independent security mechanisms. That's not to say that a single system would be good for everyone, but rather there should be only a few fundamental mechanisms which can be skinned to look like any of the "standard" mechanisms. The skins would then replace most of the implemented mechanisms, they would merely be configuration details. This reduces the possibility of insecurity by having too many opportunities for bugs, without limiting the system admins.

      The biggest problem I see with the current system is that it isn't comprehensive. There's no easy way to provide trusted computing to memory (especially shared on the system, distributed or otherwise networked), security models generally don't work over clusters (eg: migrating a process from one machine to another won't necessarily migrate security labels or permissions), VNIC and Infiniband cards can RDMA direct into and out of memory without reference to security models, etc. This isn't a Linux problem, per se, in most cases. It's a hardware problem. Hardware is designed to be insecure, by design, and there is nothing any OS can do about such limitations.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  5. Re:RBAC, Anyone? by amorsen · · Score: 2, Interesting

    RBAC has been in Linux for a long time, in the form of SELinux. The new thing is that you can store the privileges in the file system. The advantage is that you don't need to modify your formerly set-uid applications, so it is easier on the system administrator. The disadvantage is that you don't need to modify your applications, so any security vulnerabilities caused by running with a lower privilege (yes, that is possible) might not be discovered by the good guys first.

    --
    Finally! A year of moderation! Ready for 2019?
  6. OT: ACLs by Richard+W.M.+Jones · · Score: 4, Interesting

    Well, the article is about capabilities, not ACLs, and Linux has had ACLs in the filesystem for years too.

    To get to the point though: Administrators don't use ACLs on Linux because they make file permissions much harder to understand, for what is in reality an unimportant increase in expressiveness. Simple user/other permissions are easy to understand and work 99% of the time, groups fill in another few cases (eg. permissions on shared sockets), and ACLs are almost never necessary.

    SELinux is another "interesting" area. Since I started to use Fedora again, I really wanted to use SELinux. I really did. But because I'm always using Rawhide (the bleeding-edge development version) I've had to turn SELinux off. It's too complex to understand and breaks too often on Rawhide. I'd only recommend it on a stable version (eg. RHEL/Centos) and then just as a final line of defense security measure, not to implement ACLs.

    Rich

    --
    libguestfs - tools for accessing and modifying virtual machine disk images
  7. I mastered them... by m2943 · · Score: 4, Insightful

    by not using them. They are some holdover from a time when people thought that VMS was so much better than UNIX because it had so many more features.

    The first principle of security is KISS, and they violate this principle big time.

    1. Re:I mastered them... by audi100quattro · · Score: 2, Insightful

      Yes they do, give me memory/stack protection over POSIX ACL's any day.

  8. Linux ACLs by sentientbrendan · · Score: 2, Interesting

    >Well, the article is about capabilities, not ACLs, and Linux has had ACLs in the
    >filesystem for years too.
    Years yes... but they are still fairly new compared to the ACLs that are present in NTFS. Also, ACL's aren't really universal or standardized in linux. SELinux provides ACLs, as does AppArmor, which suze uses. It's kind of hard to adopt a permissions system that works differently between distros and not at all on some.

    Which goes to your other point about people not using ACLs in Linux often. This is largely a cultural thing left over from unix, which discarded ACLs in order to save space on the file system, which is now a non issue.

    >Administrators don't use ACLs on Linux because they make file permissions much harder
    >to understand, for what is in reality an unimportant increase in expressiveness.
    You're saying that probably because you've only used single user Linux systems... which kind of defeats the purpose of unix as a multiuser operating system btw. ACLs provide a very important level of expressiveness on a multiuser system.

    If user A wants to share files with user B, but no one else (say user A has an SVN repository) without ACL's a special group has to be created and A and B are added as members. This means that something as simple as giving someone else access to your files requires elevation to root! On a large multiuser system, very few users have root access, so it is usually simply impossible. Being able to add an ACL to your file that says "allow user A" solves the problem elegantly.

    Linux ACL's have taken a while to arrive and mature, but I've used them a number of times to solve the problem above and I'm glad they are finally here and hope for more consistent support in the future. When you don't need ACL's, they may seem like unnecessary complexity. In that case, feel free to ignore them and use the traditional user/group/other permissions. When you need them though, you will be very glad they are there. Generally, if you really need to do something with ACL's and you try to emulate it with groups, you are likely to open security holes, or make your system unusable for some class of users you didn't think of. ACL's are not the simple solution to the problem, but they are often the only correct solution, which matters a lot to some people.

    1. Re:Linux ACLs by amorsen · · Score: 2, Informative

      SELinux provides ACLs, as does AppArmor, which suze uses. It's kind of hard to adopt a permissions system that works differently between distros and not at all on some.

      Neither SELinux nor AppArmor provides ACLs. ACLs are discretionary access controls, users can change the permissions. SELinux and AppArmor provide mandatory access control.

      ACLs have been in the Linux file systems for ages, and they work exactly the same across distributions. They just aren't used.

      --
      Finally! A year of moderation! Ready for 2019?
    2. Re:Linux ACLs by sentientbrendan · · Score: 2, Interesting

      >I've never once used ACLs or seen them used. Has anybody used them?
      I gave an example of where I've used ACL's in my post (a non root user try to give access to specific others to his files without giving everyone access). I also have run into a lot of other people who hit the same problem, but simply gave up because it couldn't be done without creating a whole new group, which they sometimes couldn't do... I suspect if you haven't noticed the limitations of user/group/everyone bits, you've been trying pretty hard to ignore them.

      As you say, 90% of the cases may work without ACL's, but that isn't good enough. You're saying that you're ok with your security model just not working 10% of the time? Maybe you'd be fine with handing out your password to 10% of the people on the internet?

  9. Re:old news by cocacoch · · Score: 2, Informative

    Since the so called sendmail capabilities bug there was no broad use of capabilities. But inside the kernel, capabilities "survived". If a process was asking for a privileged action like opening a privileged port, the process was checked for having the needed capability. As there was no way to grant a process a distinct capability the only way was to start this process in the context of root, who has by definition all capabilities. Now its possible to give the binary the extended attribute capability and if so the resulting process is checked whether it has the needed capability (which is stored inside the xattr capability). Now you don't have to trust the program to reduce its set of capabilities, you can start it with and only with the needed capabilities. So if ping goes wild, it can only open more ports but not - lets say - change your /etc/passwd. Now, there is a mean to eliminate root-owned suid-bit binaries. For examples have a look at my documentation: http://www.friedhoff.org/fscaps.html

  10. Win32 AdjustTokenPrivileges by SchroedingersCat · · Score: 2, Interesting

    Windows had this functionality since day one. Lookup AdjustTokenPrivileges() on MSDN

  11. Unfortunately... by Junta · · Score: 5, Informative

    ls is not equipped (as far as I know) for displaying acls.

    $ getfacl .
    # file: .
    # owner: ownaccount
    # group: owngroup
    user::rwx
    group::r-x
    other::r-x

    That was default, reflecting:
    drwxr-xr-x 2 ownaccount owngroup 4096 2007-12-23 12:28 .

    $ setfacl -m mythtv:rw .
    $ getfacl .
    # file: .
    # owner: ownaccount
    # group: owngroup
    user::rwx
    user:mythtv:rw-
    group::r-x
    mask::rwx
    other::r-x

    And ls shows:
    drwxrwxr-x+ 2 ownuser owngroup 4096 2007-12-23 12:28 .

    Note the +. It's enough to indicate acl existance, but not more than that.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  12. Re:At last by rabtech · · Score: 2, Interesting

    Actually it does have similar mechanisms, in a way. Every process has a security token that determines what the process can and can't do. The main problem is that Windows doesn't really expose a good way to alter these permissions when the program is launched - it picks up whatever rights and permissions the user has. Runas is a good way around this, but there is no fundamental reason Windows couldn't let you right-click an exe, go to a permissions tab, and uncheck various permissions... like communicating over the network.

    --
    Natural != (nontoxic || beneficial)
  13. nope, we "invented" prior to Sun by r00t · · Score: 2, Interesting

    Years ago, we swiped the idea from SGI's Irix. They seem to have swiped it from Data General's DG-UX.

    We implemented everything but the filesystem support. Filesystem support is complicated. It's actually SE Linux that has driven our ability to put arbitrary security markings on files, along with non-security desires for various extended attribute and multi-fork things.

    Unfortunately the set of bits was nearly copied from SGI's Irix, where it was botched. The bit choice is inflexible, redundant, and rather small. See, there's this "admin" bit that controls nearly everything...

    SGI also botched the math. Well, to excuse them a bit, the POSIX draft (never ratified) went through dramatic changes to the equations a few times.

    Really we ought to rip out the trash and clone what Sun has, but that is terribly hard for compatibility. Some programs already deal with the capabilitites. For example, I think sendmail drops capability bits.

  14. More complexity = less security by xtronics · · Score: 3, Interesting

    Be afraid of complexity junkies where security is involved.

    I've used and supported both Windoze and Unix systems and find that the more complex file permissions are the more likely they are to be simply turned off. The Current Linux system works well enough and users can understand it well enough. These other fixes will only create 10 times the problems they claim to fix.

  15. Too much to hope for? by glwtta · · Score: 2, Informative

    Does this mean that I'll finally be able to allow servers to bind to port 80, without having to run the whole thing as root? Please?

    Apache does pretty well with "downgrading" its running privileges, but many others, not so much.

    --
    sic transit gloria mundi
    1. Re:Too much to hope for? by Nevyn · · Score: 2, Interesting

      Yes, CAP_NET_BIND_SERVICE is a distinct capability. See "man capabilities" on a Linux box, although you may also want to give it CAP_SYS_CHROOT ... depending on how paranoid you are.

      --
      ustr: Managed string API with ave. 44% overhead over strdup(), for 0-20B