[15513] in bugtraq
Re: Linux capability bounding set weakness
daemon@ATHENA.MIT.EDU (Paul Wouters)
Wed Jun 28 15:34:11 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0006272246120.2031-100000@duplo.xtdnet.nl>
Date: Tue, 27 Jun 2000 22:50:44 +0200
Reply-To: Paul Wouters <paul@XTDNET.NL>
From: Paul Wouters <paul@XTDNET.NL>
X-To: Patrick Reynolds <reynolds@CS.DUKE.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10006262044240.1191-100000@s-reynolds.cs.duke.edu>
On Mon, 26 Jun 2000, Patrick Reynolds wrote:
> To make capability bounding sets at all useful, you have to disable
> CAP_SYS_RAWIO, which governs access to /dev/mem. Be advised that doing so
> will break X and any other user-space program that needs raw access to
> memory or I/O ports.
> Fix: if you disable anything in the capability bounding set, you must also
> disable CAP_SYS_RAWIO and CAP_SYS_MODULE.
These issues have been address a long time ago with LIDS (www.lids.org).
There, not init, but a special program called lidsadm is the control center
of the capabilities. It has clear documentation on why you MUST restrict
certain capabilities, and even has the option to compile a hardcoded list of
processes (such as X :) that can access /dev/mem despite the capability
setting.
I can recommend lids as a VERY good way to secure your system so much, you'll
find it impossible to cleanyl shutdown or reboot altogehter :)
See http://www.ota.be/linux/workshops/20000527/ for a RealMedia overview
of LIDS that I gave a few weeks ago for the OTA.
Paul
--
Only the access to the source code of our future television sets will
guarantee the independence of content and technology.
--- www.linuxtv.org
