Use capabilities to replace SUID binairies and "shared root"

Latest response

There is a long forgotten feature in Linux (since kernel 2.2); capabilities (see man 7 capabilities).

SUID binairies are evil, because you are granting applications permissions to do anything, instead of just giving them permission for what they need to do.

The OS could allow i.e. HTTPD to only have CAP_NET_BIND_SERVICE, making it possible for HTTPD to bind to a low port, but only that.

This could seriously limit the use of a potential exploit in a web application, because an attacker gaining shell access via httpd, would only have this capability, and not be able to create users, reset passwords etc.

It should also be possible to give specific users these permissions. This way, the "root" account would no longer need to be shared, but you can give users the CAP_SYS_ADMIN capability. The best way to implement this (I think) would be a PAM "session" module. The root account can therefor be used as a "last resort", instead of just sharing, or sudo'ing. Also, logging would be user specific, and not only "root broke something".

Ofcourse, a lot of this can be implemented by using sudo, SELinux, but it would be easier if you could give users in your LDAP / NIS directory specific capabilities.

Responses