Re: [gentoo-user] How many ways are there for a user to increase their permissions?
On Sunday 18 April 2010 07:41:51 Mike Edenfield wrote: On 4/18/2010 12:29 AM, Jonathan wrote: On Sun, 18 Apr 2010 00:46:25 +0100 David W Noondwn...@ntlworld.com wrote: If any Joe Schmoe could imbue a program with capabilities, this might be true. But that's not the way the system works. Sorry, I think i'm missing your point. Only root can run the setcap program to add capabilities to a program, at least on a normal, UNIX-style security system. On a role-based security system, even root might not be permitted to do this. If I had the root password to own system(which I do...) and I wanted Wine to uses IPX without running as root. I would set setcap cap_net_raw=ep /usr/bin/wine as root. Then I could run Wine as my normal user. No one in there right mind would run Wine as root. If you did you may as well use Windows. You say no one in their right mind would run Wine as root. But if you did not have capabilities support available, and wanted Wine to use IPX, then you wouldn't have any other choice but to run Wine as root. By using capabilities, you aren't increasing Wines permissions, you are decreasing the permissions needed to support IPX. Trying to compare Wine without IPX to Wine with CAP_NET_RAW isn't a fair comparison, as the two don't have the same feature set and thus clearly don't have the same security needs. Or explain it like this: The kernel can do anything the software and hardware supports. Normally, the Unix kernel gives those same rights to any app running with UID 0 (NOT the same thing as the root account - that's just a label. To prove it, create a new account toor with UID 0 and log in as it). Unix permissions are traditionally an all or nothing approach. You can do what root can do, or you can do what users can do. This got modified with the introduction of groups and group owners a long time ago, where a user could get the rights of the group owner of an app/file is they were members of the group. Please note that it's the kernel doing this, not the root account. The kernel trusts the root account and does what it says. But traditional Unix permissions have the problem of not being fine-grained enough. For the most part this works fine, but in the odd case where you need more, you are up a creek without a paddle and have to give everything to get a little. That's why we have SUID and it's bastard progeny GUID. A more ridiculous solution is very hard to find. So this whole argument about do caps raise or lower permissions? is utterly pointless and leads nowhere. It's not even the point, as there are two viewpoints and one seems to go up and one seems to go down. caps do this: Allow fine-grained access control to resources, without having to give everything to get something. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] How many ways are there for a user to increase their permissions?
On Friday 16 April 2010 23:13:34 Jonathan wrote: I'm trying to work out how many ways there are to increase the permissions of a user. 1: su -: Needs root password and you need to be in the group wheel. 2: sudo: You need to be in the group wheel or in the /etc/sudoers file, using your own user password. I'm not counting gksu and gksudo they are just front ends. 3: sudoedit: This is the best way to edit text files, it uses the same rules as sudo. 4: Linux Capabilities or caps: Which increases permissions on a per-file basis. e.g. removing SUID from ping and adding CAP_NET_RAW to ping. This is much safer than running the whole program as root. http://linux.die.net/man/7/capabilities This is a first for me. I haven't used it before and it seems it is not set up on my box by default. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] How many ways are there for a user to increase their permissions?
On Sat, 17 Apr 2010 20:30:02 +0200, Mick wrote about Re: [gentoo-user] How many ways are there for a user to increase their permissions?: On Friday 16 April 2010 23:13:34 Jonathan wrote: [snip] 4: Linux Capabilities or caps: Which increases permissions on a per-file basis. e.g. removing SUID from ping and adding CAP_NET_RAW to ping. This is much safer than running the whole program as root. http://linux.die.net/man/7/capabilities This is a first for me. I haven't used it before and it seems it is not set up on my box by default. In fact, POSIX capabilities are a mechanism to *reduce* a program's permissions, not increase them. With a default system, any program that needs to do, say, one privileged operation must be run as root. The typical example is to open a service port (i,e, 1023 or lower) rather than an ephemeral port in the TCP/IP stack. Such a program receives full root privileges, which allow it to have full access to the filesystems, modprobe new drivers into the kernel, etc., etc., even though it only wants to listen on a service port. With caps, it is given the capability (CAP_NET_BIND_SERVICE) to open service ports without regard to the userid under which it is running. This means that it will *NOT* have permissions to modprobe drivers, mess about with files arbitrarily, etc. man 7 capabilities If you don't have that man page, you will need to emerge libcap. -- Regards, Dave [RLU #314465] == dwn...@ntlworld.com (David W Noon) == signature.asc Description: PGP signature
Re: [gentoo-user] How many ways are there for a user to increase their permissions?
On Sat, 17 Apr 2010 21:45:57 +0100 David W Noon dwn...@ntlworld.com wrote: In fact, POSIX capabilities are a mechanism to *reduce* a program's permissions, not increase them. It's true that Linux capabilities are used to replace SUID and that does reduce the programs permissions. On the other hand programs like Wine. Which no one would never run with SUID could be run with CAP_NET_RAW. That would be a increase in permissions. Wine needs to be able to ping because some program need to use IPX[1], Like Red Alert 2. Someone has made a patch for Red Alert 2 to use TCP/IP and I can not think of another program off the top of my head. That information came from man 7 capabilities. So I guess it's all about how you look at it. [1] http://en.wikipedia.org/wiki/Internetwork_Packet_Exchange
Re: [gentoo-user] How many ways are there for a user to increase their permissions?
Am 17.04.2010 23:32, schrieb Jonathan: On Sat, 17 Apr 2010 21:45:57 +0100 David W Noondwn...@ntlworld.com wrote: In fact, POSIX capabilities are a mechanism to *reduce* a program's permissions, not increase them. It's true that Linux capabilities are used to replace SUID and that does reduce the programs permissions. On the other hand programs like Wine. Which no one would never run with SUID could be run with CAP_NET_RAW. That would be a increase in permissions. Wine needs to be able to ping because some program need to use IPX[1], Like Red Alert 2. Someone has made a patch for Red Alert 2 to use TCP/IP and I can not think of another program off the top of my head. That information came from man 7 capabilities. So I guess it's all about how you look at it. [1] http://en.wikipedia.org/wiki/Internetwork_Packet_Exchange Sounds a little like putting someone in prison and than telling him walking through the prison yard is increasing his freedom. kh
Re: [gentoo-user] How many ways are there for a user to increase their permissions?
On Sat, 17 Apr 2010 23:59:07 +0200 KH gentoo-u...@konstantinhansen.de wrote: Sounds a little like putting someone in prison and than telling him walking through the prison yard is increasing his freedom. As Linux is a prison for programs then I guess your right.
Re: [gentoo-user] How many ways are there for a user to increase their permissions?
On Sat, 17 Apr 2010 23:40:01 +0200, Jonathan wrote about Re: [gentoo-user] How many ways are there for a user to increase their permissions?: On Sat, 17 Apr 2010 21:45:57 +0100 David W Noon dwn...@ntlworld.com wrote: In fact, POSIX capabilities are a mechanism to *reduce* a program's permissions, not increase them. It's true that Linux capabilities are used to replace SUID and that does reduce the programs permissions. On the other hand programs like Wine. Which no one would never run with SUID could be run with CAP_NET_RAW. That would be a increase in permissions. Wine needs to be able to ping because some program need to use IPX[1], Like Red Alert 2. Someone has made a patch for Red Alert 2 to use TCP/IP and I can not think of another program off the top of my head. If any Joe Schmoe could imbue a program with capabilities, this might be true. But that's not the way the system works. Only root can run the setcap program to add capabilities to a program, at least on a normal, UNIX-style security system. On a role-based security system, even root might not be permitted to do this. That information came from man 7 capabilities. So I guess it's all about how you look at it. [1] http://en.wikipedia.org/wiki/Internetwork_Packet_Exchange Unfortunately, I'm old enough to have used IPX/SPX networking in the days when Novell Netware (a.k.a. Slowvell Slugware) was considered a serious network system. -- Regards, Dave [RLU #314465] == dwn...@ntlworld.com (David W Noon) == signature.asc Description: PGP signature
Re: [gentoo-user] How many ways are there for a user to increase their permissions?
On Sun, 18 Apr 2010 00:46:25 +0100 David W Noon dwn...@ntlworld.com wrote: If any Joe Schmoe could imbue a program with capabilities, this might be true. But that's not the way the system works. Sorry, I think i'm missing your point. Only root can run the setcap program to add capabilities to a program, at least on a normal, UNIX-style security system. On a role-based security system, even root might not be permitted to do this. If I had the root password to own system(which I do...) and I wanted Wine to uses IPX without running as root. I would set setcap cap_net_raw=ep /usr/bin/wine as root. Then I could run Wine as my normal user. No one in there right mind would run Wine as root. If you did you may as well use Windows.
Re: [gentoo-user] How many ways are there for a user to increase their permissions?
On 4/18/2010 12:29 AM, Jonathan wrote: On Sun, 18 Apr 2010 00:46:25 +0100 David W Noondwn...@ntlworld.com wrote: If any Joe Schmoe could imbue a program with capabilities, this might be true. But that's not the way the system works. Sorry, I think i'm missing your point. Only root can run the setcap program to add capabilities to a program, at least on a normal, UNIX-style security system. On a role-based security system, even root might not be permitted to do this. If I had the root password to own system(which I do...) and I wanted Wine to uses IPX without running as root. I would set setcap cap_net_raw=ep /usr/bin/wine as root. Then I could run Wine as my normal user. No one in there right mind would run Wine as root. If you did you may as well use Windows. You say no one in their right mind would run Wine as root. But if you did not have capabilities support available, and wanted Wine to use IPX, then you wouldn't have any other choice but to run Wine as root. By using capabilities, you aren't increasing Wines permissions, you are decreasing the permissions needed to support IPX. Trying to compare Wine without IPX to Wine with CAP_NET_RAW isn't a fair comparison, as the two don't have the same feature set and thus clearly don't have the same security needs. --Mike