Re: filesystem capabilities

[Kees Cook <kees () ubuntu com>]

Hi Steve,

On Wed, Nov 10, 2010 at 02:55:47PM -0500, Steve Grubb wrote:
> drop all privs is a 2 liner:
> capng_clear(CAPNG_SELECT_CAPS);
> if (capng_apply(CAPNG_SELECT_CAPS))
>       exit(0);
>
> Not sure anything that small needs a library function.

Well, yeah, if it's just caps, I'd agree, but I'm failing to describe what
I mean. :)

For the transition from setuid to fscaps, there will be a time where
distros may ship a program with both setuid-root and fscaps. (Some
stacked filesystems, for example, don't support fscaps.) In these
situations, it would be nice to have a single library-based routine that
all of these programs can call that will basically do the following:

- remember if I'm running setuid
- drop all but needed caps
- if I was setuid, drop uid back to real uid

That way the sensitive code isn't cut/pasted into lots of programs, just
they all call out to a single place, and everything gets it right,
regardless of them being setuid or fscap.

> I asked the maintainer if he's had any discussion [about upstreaming
> the tar xattr patches] lately.

Any news here?

> > Has there been any discussion of making rsync, cp, and cpio default to
> > copying xattrs and acls too? I know at least with rsync they are explicitly
> > not included in the "-a" option. :(
>
> My rsync man page shows a -X option and cp has a --preserve=xattr. cpio doesn't but no 
> one seems to have been missing that.

Right, but I mean, it seems like it would be valuable to make these options
_part_ of -a when currently they are explicitly not included.

-Kees

-- 
Kees Cook
Ubuntu Security Team