Lowered Process Capabilities for use in Ubuntu (Security)

Registered by Kees Cook

This session will review the Lower Process Capabilities idea that Fedora has started working on. It may be good to do this in Ubuntu as well. http://fedoraproject.org/wiki/Features/LowerProcessCapabilities

Blueprint information

Status:
Not started
Approver:
Robbie Williamson
Priority:
Medium
Drafter:
Kees Cook
Direction:
Approved
Assignee:
Kees Cook
Definition:
Discussion
Series goal:
Accepted for lucid
Implementation:
Informational Informational
Milestone target:
None

Related branches

Sprints

Whiteboard

Work items:
investigate whether permissions gain is worth the trouble: DONE

Status: Will approve based on outcome of investigation [robbie.w]

Details:
 - This doesn't appear to add any benefit over simply derooting daemons, which the bulk of has already happened. Especially since uid=0 can just change file ownership.
[root@fedora-12-i686 ~]# capsh --drop=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin --
[root@fedora-12-i686 ~]# capsh --print
Current: =ep cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin-ep
Bounding set =
Securebits: 00/0x0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0
[root@fedora-12-i686 ~]# cd /etc
[root@fedora-12-i686 etc]# cat shadow
bash: shadow: Permission denied
[root@fedora-12-i686 etc]# chmod 0700 shadow
[root@fedora-12-i686 etc]# grep gdm shadow
gdm:!!:14557::::::
[root@fedora-12-i686 etc]# chmod 0000 shadow
[root@fedora-12-i686 etc]# ls -la shadow
----------. 1 root root 1029 2009-11-25 21:28 shadow
[root@fedora-12-i686 etc]# cat shadow
cat: shadow: Permission denied

(?)

Work Items