On 26/01/2013 08:46, Mike Frysinger wrote: > > at least, this is all my understanding of things. i could be completely > wrong, so feel free to correct something if you notice it.
All looks good to me, but just because somebody is going to wonder this I would add a few words: While this is basically the same underlying idea of selinux and rbac, it is much more limited in scope. In particular instead of telling each program exactly what they can or cannot do, we're giving them a broad spectrum of privileges (but much narrower than what a setuid root program would have). This is both less rewarding in term of security, and less headache-prone. Indeed most of the capabilities currently allowed are pretty much "do something almost like root" — so for instance `tcpdump` needs CAP_NET_ADMIN that does... almost everything with the network, while `ping` would just use CAP_NET_RAW and be able to send out the ICMP ECHO packets just fine. A web server, or any other server using privileged TCP/UDP ports (<1024) would need instead CAP_NET_BIND_SERVICE. All these settings allow tools to run as users who generally don't have said capabilities, and yet be able to execute higher-level features. As Mike said, this is just to replace setuid (and if you got selinux, you go one step further because you can for instance give CAP_DAC_READ_SEARCH to a tool, but also verify that it doesn't go randomly reading stuff out of an user's home. There's also a different kind of capabilities, in theory, relating to users instead and using PAM — but I never got to get it working :( -- Diego Elio Pettenò — Flameeyes flamee...@flameeyes.eu — http://blog.flameeyes.eu/
signature.asc
Description: OpenPGP digital signature
