1*2810ac1bSKiyoung Kim# Notes concerning wider use of capabilities 2*2810ac1bSKiyoung Kim 3*2810ac1bSKiyoung Kim## Overview 4*2810ac1bSKiyoung Kim 5*2810ac1bSKiyoung Kim**NOTE** These notes were added to the libcap package in 6*2810ac1bSKiyoung Kimlibcap-1.03. They pre-date file capability support, but fully 7*2810ac1bSKiyoung Kimanticipate it. They are some thoughts on how to restructure a system 8*2810ac1bSKiyoung Kimto better leverage capability support. I've updated them to render as 9*2810ac1bSKiyoung Kiman `.md` formatted file. 10*2810ac1bSKiyoung Kim 11*2810ac1bSKiyoung KimAs of Linux 2.2.0, the power of the superuser has been partitioned 12*2810ac1bSKiyoung Kiminto a set of discrete capabilities (in other places, these 13*2810ac1bSKiyoung Kimcapabilities are know as privileges). 14*2810ac1bSKiyoung Kim 15*2810ac1bSKiyoung KimThe contents of the libcap package are a library and a number of 16*2810ac1bSKiyoung Kimsimple programs that are intended to show how an application/daemon 17*2810ac1bSKiyoung Kimcan be protected (with wrappers) or rewritten to take advantage of 18*2810ac1bSKiyoung Kimthis fine grained approach to constraining the danger to your system 19*2810ac1bSKiyoung Kimfrom programs running as 'root'. 20*2810ac1bSKiyoung Kim 21*2810ac1bSKiyoung Kim## Notes on securing your system 22*2810ac1bSKiyoung Kim 23*2810ac1bSKiyoung Kim### Adopting a role approach to system security 24*2810ac1bSKiyoung Kim 25*2810ac1bSKiyoung KimChanging all of the system binaries and directories to be owned by 26*2810ac1bSKiyoung Kimsome user that cannot log on. You might like to create a user with 27*2810ac1bSKiyoung Kimthe name 'system' who's account is locked with a '*' password. This 28*2810ac1bSKiyoung Kimuser can be made the owner of all of the system directories on your 29*2810ac1bSKiyoung Kimsystem and critical system binaries too. 30*2810ac1bSKiyoung Kim 31*2810ac1bSKiyoung KimWhy is this a good idea? In a simple case, the `CAP_FOWNER` capability 32*2810ac1bSKiyoung Kimis required for the superuser to delete files owned by a non-root user 33*2810ac1bSKiyoung Kimin a _sticky-bit_ protected non-root owned directory. Thus, the sticky 34*2810ac1bSKiyoung Kimbit can help you protect the `/lib/` directory from a compromized 35*2810ac1bSKiyoung Kimdaemon where the directory and the files it contains are owned by the 36*2810ac1bSKiyoung Kimsystem user. It can be protected to ensure that the daemon is not 37*2810ac1bSKiyoung Kimrunning with the `CAP_FOWNER` capability... 38*2810ac1bSKiyoung Kim 39*2810ac1bSKiyoung Kim### Limiting the damage 40*2810ac1bSKiyoung Kim 41*2810ac1bSKiyoung KimIf your daemon only needs to be setuid-root in order to bind to a low 42*2810ac1bSKiyoung Kimnumbered port. You should restrict it to only having access to the 43*2810ac1bSKiyoung Kim`CAP_NET_BIND_SERVICE` capability. Coupled with not having any files 44*2810ac1bSKiyoung Kimon the system owned by root, it becomes significantly harder for such 45*2810ac1bSKiyoung Kima daemon to damage your system. 46*2810ac1bSKiyoung Kim 47*2810ac1bSKiyoung KimNote, you should think of this kind of trick as making things harder 48*2810ac1bSKiyoung Kimfor a potential attacker to exploit a hole in a daemon of this 49*2810ac1bSKiyoung Kimtype. Being able to bind to any privileged port is still a formidable 50*2810ac1bSKiyoung Kimprivilege and can lead to difficult but _interesting_ 51*2810ac1bSKiyoung Kimman-in-the-middle attacks -- hijack the telnet port for example and 52*2810ac1bSKiyoung Kimmasquerade as the login program... Collecting passwords for another 53*2810ac1bSKiyoung Kimday. 54*2810ac1bSKiyoung Kim 55*2810ac1bSKiyoung Kim### The /proc/ filesystem 56*2810ac1bSKiyoung Kim 57*2810ac1bSKiyoung KimThis Linux-specific directory tree holds most of the state of the 58*2810ac1bSKiyoung Kimsystem in a form that can sometimes be manipulated by file 59*2810ac1bSKiyoung Kimread/writes. Take care to ensure that the filesystem is not mounted 60*2810ac1bSKiyoung Kimwith uid=0, since root (with no capabilities) would still be able to 61*2810ac1bSKiyoung Kimread sensitive files in the `/proc/` tree - `kcore` for example. 62*2810ac1bSKiyoung Kim 63*2810ac1bSKiyoung Kim[Patch is available for 2.2.1 - I just wrote it!] 64