Capabilities systems considered harmful

[dave <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Spender gave a great talk (while wearing a sombrero) on UNIX capabilities systems
back at a conference in Mexico a thousand years ago or so. But he's gone through the
work to write a terrific post on the subject, and everyone should read it.

The basic theme of a capabilities system is always this: "Which capabilities, alone
or combined with another set of capabilities, are equivalent to super-user access?"
Normally it's quite a lot of them. ARGUS PITBULL (which LSD-PL owned back in the day
and is now out of business, I think) tried this on top of Solaris and Linux, and
there are lots of other great examples of them out there.

In the Linux case, it's a dire situation. Spender goes into explicit details on them
 in the post, which is well worth your time. Here is his summary:
"That's 18/35 capabilities equivalent to full root, a good start. In older kernels,
this would have been 18/30, more than half of all capabilities.
"

He has a list of some of the ones that are not 100% going to get you super-user
access as well. For example:

CAP_NET_RAW (can sniff, possibly more, but sniffing alone won't help against
encrypted protocols) <--Sniffing localhost may help you do things like spoof against
local daemons?
CAP_SYS_NICE <--- Can we magically win all race attacks? :>

To be honest, it's all right on target. I should just repost the whole thing.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAk0iB/gACgkQtehAhL0gherAGgCZAQWS2SJA12Q4oHemjQRFSDiz
UbkAn0BBigUc+xxwOcH4HBxTH+tTg75c
=fhaw
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave