[prev in list] [next in list] [prev in thread] [next in thread]
List: dailydave
Subject: [Dailydave] Capabilities systems considered harmful
From: dave <dave () immunityinc ! com>
Date: 2011-01-03 17:31:36
Message-ID: 4D2207F8.1080804 () immunityinc ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Spender gave a great talk (while wearing a sombrero) on UNIX capabilities systems
back at a conference in Mexico a thousand years ago or so. But he's gone through the
work to write a terrific post on the subject, and everyone should read it.
The basic theme of a capabilities system is always this: "Which capabilities, alone
or combined with another set of capabilities, are equivalent to super-user access?"
Normally it's quite a lot of them. ARGUS PITBULL (which LSD-PL owned back in the day
and is now out of business, I think) tried this on top of Solaris and Linux, and
there are lots of other great examples of them out there.
In the Linux case, it's a dire situation. Spender goes into explicit details on them
in the post, which is well worth your time. Here is his summary:
"That's 18/35 capabilities equivalent to full root, a good start. In older kernels,
this would have been 18/30, more than half of all capabilities.
"
He has a list of some of the ones that are not 100% going to get you super-user
access as well. For example:
CAP_NET_RAW (can sniff, possibly more, but sniffing alone won't help against
encrypted protocols) <--Sniffing localhost may help you do things like spoof against
local daemons?
CAP_SYS_NICE <--- Can we magically win all race attacks? :>
To be honest, it's all right on target. I should just repost the whole thing.
- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAk0iB/gACgkQtehAhL0gherAGgCZAQWS2SJA12Q4oHemjQRFSDiz
UbkAn0BBigUc+xxwOcH4HBxTH+tTg75c
=fhaw
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic