Mastering POSIX File Capabilities

An anonymous reader passes along an IBM DeveloperWorks article on POSIX file capabilities, which have recently become available in the Linux kernel; they are expected in the mainline kernel by 2.6.24. POSIX file capabilities parcel out root user powers into smaller privileges. The article details how to program using file capabilities and how to switch on the ability of a system's setuid root binaries to use file capabilities.

Re:At last

[Anonymous Coward]

Nope, I don't think you read and/or understood the article. This has nothing to do with file permissions it affects what 'capabilities' the resulting process has when it is executed. As far as I know Windows does not have anything similar. As for NTFS style ACLs those have been around for a while, google for POSIX ACLs.

Re:

[Anonymous Coward]

Windows does have the same concepts but it pales in comparison. Capabilities on Windows are purpose built rather than generic capabilities which further limits its value on Windows.

Re:

[joel48]

POSIX ACLs have been around for a while, but they don't address what the parent was referring to. POSIX ACLs allow extending beyond the standard user, group and other items, allowing multiple of each - but they still only allow the standard four digit octal permissions.

The NT ACLs have that capability, but much deeper granularity (write vs. append, replace, etc). Note that NFSv4 has similar granularity - but they are definitely not simple POSIX ACLs (there needed to be explicit support added to attempt to s

Win32 AdjustTokenPrivileges

[SchroedingersCat]

Windows had this functionality since day one. Lookup AdjustTokenPrivileges() on MSDN [microsoft.com]

Re:

[rabtech]

Actually it does have similar mechanisms, in a way. Every process has a security token that determines what the process can and can't do. The main problem is that Windows doesn't really expose a good way to alter these permissions when the program is launched - it picks up whatever rights and permissions the user has. Runas is a good way around this, but there is no fundamental reason Windows couldn't let you right-click an exe, go to a permissions tab, and uncheck various permissions... like communicating

Re:

[jafac]

Both .net and COM/DCOM models have a different security layer allowing programs to have different privileges than the user. You can expose the configuration for this in "dcomcnfg.exe" -

Re:

[Jaime2]

.Net programs have a feature called "Code Access Security" that give an executable a very specific set of permissions. For example -- by default, you cannot run a .Net program that does anything beyond create windows if you launch it from a network share or the Internet. This was introduced in 2001.

Not the correct comparison.

[Junta]

Linux has had filesystem ACLs for ages (arbitrary lists of people with sets of permissions above and beyond user/group/world permissions).

This is essentially a finer-grained setuid. I.e., before, the filesystem permission granularity was 'the /bin/ping program code is permitted to assume root privileges', because ping needed to do *one* thing that only root could do. Code in this position is generally thoroughly audited and such, but presume for a moment a user figured out a buffer overflow using some ICMP pattern that would cause ping to execute arbitrary code. If not written correctly, the results could be disasterous. If well written, the program code has dropped all but the capability it needed, but the kernel/permissions aren't forcing the issue so the code must be trusted.

Enter this mechanism. Now, you can *force* the issue in the filesystem permissions to never even possibly allow ping anything but what it needed. If ping was badly written to not drop any privileges, and a malicious user overflowed, he'd still only be able to create raw sockets, and nothing more.

This sort of complexity I'm not sure is dealt with in Windows (or how) I don't even know what may or may not need setuid to be a good example under their architecture. It certainly paves the way for future distributions to have a lot fewer setuid programs to worry about (though, on the flip side, programs with few enhanced capabilities may still be dangerous and yet be less obvious as it isn't setuid, file listing may have to be tweaked to reflect the kinda-setuid nature to leave awareness).

I don't think that's right...

[Junta]

Seeing as how you can make an unprivileged account and those programs are prevented from doing this or that. It's just that all recommendations/forums/etc/etc have *always* said 'always run as an administrator account' because Windows applications as a rule may not be well designed for a well secured environment.

If *everything* was setuid, it wouldn't matter whether you had administrator privilege or not. Also, runas wouldn't be needed for privilege escalation.

Re:

[Cally]

Linux has had filesystem ACLs for ages (arbitrary lists of people with sets of permissions above and beyond user/group/world permissions).

News to me... ~ $ ls -l /etc total 1302 -rw-r--r-- 1 root root 15069 Feb 24 2006 a2ps.cfg -rw-r--r-- 1 root root 2563 Feb 24 2006 a2ps-site.cfg drwxr-xr-x 4 root root 1024 Feb 19 2007 acpi/ -rw-r--r-- 1 root root 46 Dec 21 20:58 adjtime drwxr-xr-x 2 root root 2048 Aug 10 11:51 alternatives/ [.... etc ...] Sure looks like 3 sets of rwx to me...

Unfortunately...

[Junta]

ls is not equipped (as far as I know) for displaying acls.

$ getfacl .
# file: .
# owner: ownaccount
# group: owngroup
user::rwx
group::r-x
other::r-x

That was default, reflecting:
drwxr-xr-x 2 ownaccount owngroup 4096 2007-12-23 12:28 .

$ setfacl -m mythtv:rw .
$ getfacl .
# file: .
# owner: ownaccount
# group: owngroup
user::rwx
user:mythtv:rw-
group::r-x
mask::rwx
other::r-x

And ls shows:
drwxrwxr-x+ 2 ownuser owngroup 4096 2007-12-23 12:28 .

Note the +. It's enough to indicate acl existance, but not more than that.

Re:

[dkf]

If ping was badly written to not drop any privileges, and a malicious user overflowed, he'd still only be able to create raw sockets, and nothing more.

You are aware just how much mischief they'd be able to do like that? For example, synthesizing ARP packets...

Yes, but...

[Junta]

It's better than the alternative of all-out access. That's why only one security mechanism isn't enough. In your case, if they managed to exploit ping for raw socket access to arp spoof, they could launch a DoS or start a man-in-the-middle attack. Not much can be done with the DoS, but SSL and ssh protocols should guard against the man-in-the-middle if used correctly.

The point is every facility needs to do it's part to mitigate risk security wise. It may be better to provide a facility to do ICMP echo r

Re:

[PenisLands]

Yes. Now in a year or so, Linux will be ready for the desktop. 2008 is the year of Linux on the desktop!

You know what?

[roman_mir]

With my parents using Ubuntu, I must say this:

I hope that by 2008 the desktop will be ready for GNU/Linux.

OT: ACLs

[Richard W.M. Jones]

Well, the article is about capabilities, not ACLs, and Linux has had ACLs in the filesystem for years too.

To get to the point though: Administrators don't use ACLs on Linux because they make file permissions much harder to understand, for what is in reality an unimportant increase in expressiveness. Simple user/other permissions are easy to understand and work 99% of the time, groups fill in another few cases (eg. permissions on shared sockets), and ACLs are almost never necessary.

SELinux is another "interesting" area. Since I started to use Fedora again, I really wanted to use SELinux. I really did. But because I'm always using Rawhide (the bleeding-edge development version) I've had to turn SELinux off. It's too complex to understand and breaks too often on Rawhide. I'd only recommend it on a stable version (eg. RHEL/Centos) and then just as a final line of defense security measure, not to implement ACLs.

Rich

Linux ACLs

[sentientbrendan]

>Well, the article is about capabilities, not ACLs, and Linux has had ACLs in the
>filesystem for years too.
Years yes... but they are still fairly new compared to the ACLs that are present in NTFS. Also, ACL's aren't really universal or standardized in linux. SELinux provides ACLs, as does AppArmor, which suze uses. It's kind of hard to adopt a permissions system that works differently between distros and not at all on some.

Which goes to your other point about people not using ACLs in Linux often. This

Re:

[amorsen]

SELinux provides ACLs, as does AppArmor, which suze uses. It's kind of hard to adopt a permissions system that works differently between distros and not at all on some.

Neither SELinux nor AppArmor provides ACLs. ACLs are discretionary access controls, users can change the permissions. SELinux and AppArmor provide mandatory access control.

ACLs have been in the Linux file systems for ages, and they work exactly the same across distributions. They just aren't used.

Re:

[rabtech]

Delegation is the key; with ACLs you can delegate rights to any combination of users and groups and have those rights be inherited, either by files, subfolders, or both.

For example you could give CHANGE_PERMISSIONS to CREATOR_OWNER on \Users, to be inherited by subfolders and files only (not Users itself). Then a user can grant other people access to his or her files without having to be root (administrator).

In Windows, it isn't just the filesystem that supports ACLs; processes, kernel objects, etc all supp

Re:

[coryking]

This is largely a cultural thing left over from unix, which discarded ACLs in order to save space on the file system

Besides being a cultural thing, traditional unix filesystem permissions are far to entrenched for ACL's to take over. Does tar preserve anything but "owner, group, world"? Does Apache cope with ACL's? PHP? In all my travels, I've never once used ACLs or seen them used. Has anybody used them?

The bigger problem with ACL's in unix is the command line isn't a very good way to handle complex permissions. Complex permissions require complex displays. For example, using nothing but text, how do you show th

Re:

[ratboy666]

That IS a problem. But it's not the reason ACLs (discretionary access control) isn't used much. Indeed, it isn't used on Windows, either.

The reason(s) its not used are:

1 - too complicated. period.
2 - only NEEDED for 10% or less of the cases. The other 90% is handled nicely by uga permissions.
3 - see (1). Because it's THAT complicated, ACLs cannot be audited. Since the auditing is impractical, its not going to be done. As a DIRECT result, the calculus of ACLs must be such that ACLs can be effectively reasone

Re:

[fluffy99]

It's only too complicated on Linux. Heck, I'm be thrilled if Samba handled file permissions correctly let you change permissions without having to ssh in and do it as root. No problem though, I run my file servers on Windows where I don't have to mess with such crap.

Goof ups similar to your VMS example are very easy to run into under both Linux and Windows too. Try using the EXT extended attributes to apply acls. A few setuid tools totally ignore them, and they disappear with back and restore. Plus you

Re:

[sentientbrendan]

>I've never once used ACLs or seen them used. Has anybody used them?
I gave an example of where I've used ACL's in my post (a non root user try to give access to specific others to his files without giving everyone access). I also have run into a lot of other people who hit the same problem, but simply gave up because it couldn't be done without creating a whole new group, which they sometimes couldn't do... I suspect if you haven't noticed the limitations of user/group/everyone bits, you've been trying p

Re:

[coryking]

I'm not saying ACL's are bad. I think ACL's would be a very useful addition to Linux. Owner,Group,World is just not granular enough for big groups of people. I dont use ACL's on linux because they are just to much of a pain in the ass. I even turn them off on the filesystem so if somebody hacks the box they cannot bury shit in the ACL structure in a way I cannot see it using ls -l (and yes, I know it gives a hint that there are ACL's on a file).

I'm saying in their current state, ACL's are unusable mainl

Re:

[ratboy666]

"Years yes... but they are still fairly new compared to the ACLs that are present in NTFS. Also, ACL's aren't really universal or standardized in linux."

Linux ACLs are an implementation of POSIX 1003.1e draft 17. Every Linux. Everwhere. Maybe "still fairly new compared to the ACLs that are present in NTFS" is true.

Re:

[SmackedFly]

Not completely true. For normal server usage ACLs are excessive, but for file sharing setups they can really save complexity for the user. The user,group,everyone scenario takes some time to wrap your head around. Also, there are lots of scenarios where you just need to make a small change, where unix permissions force you to make lots of changes to change permissions of an object.

The real issue Linux has over Windows is the lack of recursive group support, aka. 'groups of groups', which can really remove t

Re:

[EvanED]

To get to the point though: Administrators don't use ACLs on Linux because they make file permissions much harder to understand, for what is in reality an unimportant increase in expressiveness
For at least one setting -- a school setup -- they are almost vital.

Suppose I am working on a project with one other person from my class, and we need to share files. How can I do that without making them readable and writable by too many people? AFAIK, I can't. I don't think I can create a group without root privileg

Re:

[EvanED]

Yes, so every time I want to do a project, I need to get the admins in on it? Great system. </sarcasm> (Fortunately at this point I can just do it myself; my grad school uses AFS which provides the ability for users to manage ACLs. Actually undergrad supposedly provided ACLs, but I tried a little and couldn't get them to work.)

It would have been nice if they provided a good Subversion server we could use, but to my knowledge they didn't. Anyway I was simplifying the above discussion slightly; when do

RBAC, Anyone?

[BrainInAJar]

Wow, they've invented a neutered version of RBAC. [sun.com]

way to be innovative.

Re:

[amorsen]

RBAC has been in Linux for a long time, in the form of SELinux. The new thing is that you can store the privileges in the file system. The advantage is that you don't need to modify your formerly set-uid applications, so it is easier on the system administrator. The disadvantage is that you don't need to modify your applications, so any security vulnerabilities caused by running with a lower privilege (yes, that is possible) might not be discovered by the good guys first.

nope, we "invented" prior to Sun

[r00t]

Years ago, we swiped the idea from SGI's Irix. They seem to have swiped it from Data General's DG-UX.

We implemented everything but the filesystem support. Filesystem support is complicated. It's actually SE Linux that has driven our ability to put arbitrary security markings on files, along with non-security desires for various extended attribute and multi-fork things.

Unfortunately the set of bits was nearly copied from SGI's Irix, where it was botched. The bit choice is inflexible, redundant, and rather sm

Systrace?

[RAMMS+EIN]

How do POSIX capabilities compare to systrace?

Recently become available?

[RAMMS+EIN]

Quoth the summary:

``POSIX file capabilities, which have recently become available in the Linux kernel; they are expected in the mainline kernel by 2.6.24.''

Recently become available? Haven't POSIX capabilities been in Linux for some time? I seem to recall reading about them in the documentation for some 2.4 kernel, and there is a Gentoo page about them from some time in 2005. Am I missing something?

Re:

[RAMMS+EIN]

I just looked at the capability.h on my system, and it has

#define _LINUX_CAPABILITY_VERSION 0x19980330

This suggests to me that Linux has had capabilities since 1998 at least...

Re:Recently become available?

[xSauronx]

*waves hand in front of you* this is not the capabilities you are looking for.

Re:

[cocacoch]

... but not for you as a user or admin usable to secure your system. Ideas how to use it: http://www.friedhoff.org/fscaps.html [friedhoff.org]

Re:Recently become available?

[Junta]

POSIX capabilities are old, the ability to store which capabilities are permitted just like ACLs/owner/permission is new.

So before, ping gets executed and it's up to ping code to assume/give up unneeded POSIX capabilities as permitted by the rather broad setuid bit. Now, it's execed only with the appropriate capabilities even being possible, without needing the rather broad setuid bit being set. Setuid can be safe with effort, but if the program can operate under a more specific security context, all the better.

Re:

[RAMMS+EIN]

Ah, I see now that I _was_ missing something.

What is new is not that Linux has POSIX capabilities.

What is new is that you can store a description of the capabilities an executable is to receive _on the executable_.

Re:

[jd]

Patches for POSIX ACLs have existed for some time. Patches for controls in excess of POSIX have also existed for some time. Some filesystems have also supported ACLs (POSIX or their own) for some time, independently of the rest of the kernel. Linux also has very sophisticated security modules, including Linux capabilities and SELinux.

Linux having full POSIX capabilities is good, but frankly there are getting to be too many wholly independent security mechanisms. That's not to say that a single system woul

Re:

[devangm]

There are too many security mechanisms, and apart from those offered as patches, it's the distro that decides what you end up with. Some have multiple options, most don't. I use grsec/PaX with TPE to run all internet programs under a different user which can't execute anything except what's installed in /usr/bin. Combined with building all those internet programs using -fstack-protector-all on gentoo and restrictive user/group permissions on important directories, I think it's pretty good security without A

Re:

[icedevil]

The biggest problem I see with the current system is that it isn't comprehensive. There's no easy way to provide trusted computing to memory (especially shared on the system, distributed or otherwise networked), security models generally don't work over clusters (eg: migrating a process from one machine to another won't necessarily migrate security labels or permissions), VNIC and Infiniband cards can RDMA direct into and out of memory without reference to security models, etc. This isn't a Linux problem, p

Re:

[jd]

Oh, I completely agree that that is what is done in practice. However, I think it's stupid and naive - even if you completely trust all the users, you can't trust all of the users' applications to be so bug-free all the time that they don't disrupt the system or delete critical files. For that matter, from the earliest known AT&T malware to computer viruses, malware has got itself added without the knowledge of users onto software.

If you want to get a bit more paranoid, the sorts of companies using hi

Re:

[angus_rg]

int Yes = setreuid(owned, biatch);

I mastered them...

[m2943]

by not using them. They are some holdover from a time when people thought that VMS was so much better than UNIX because it had so many more features.

The first principle of security is KISS, and they violate this principle big time.

Re:

[devangm]

Yes they do, give me memory/stack protection over POSIX ACL's any day.

Re:

[dasunt]

It's a nice principle to follow for systems designed by amateurs who don't know the first thing about actual principles, yes.

A system that relies on the administrator being a security guru probably isn't that secure in the real world where most administrators don't have time to become security experts...

Re:

[tuomoks]

You need points! Not that an administrator couldn't be a security guru I have always wondered this whole paradigm that programs have a a control over security, access rights, etc? Isn't that (shouldn't that) be an external function in a system? Sorry, I'm (still) a mainframe person and it doesn't matter if you set supervisory, root, whatever bit in program, you don't get it because it wasn't allowed by system. I like POSIX because it standardizes a lot of coding but IMHO before there are standard methods to

right, this actually adds holes

[r00t]

Lots of programs try to limit themselves when run as setuid root. For example, they refuse some kind of user input. If they see that they are NOT running setuid root, then they assume that they have no privilage and that thus there is no need to limit themselves.

Other programs assume that if ONE privileged operation succeeds, then some OTHER privileged operation will also succeed. (because root can traditionally do everything) When that other operation fails unexpectedly, you may get some sort of inconsista

Re:

[msuarezalvarez]

With this new feature, both sorts of sloppy programming become security holes.

Sloppy programming is security holes.

Assuming the implemenation works fine, then if an app is making the assumption that because it can do X then it can do Y, well, it will find out that it really cannot do Y, and it'll get killed. Then you can fix it. Ah, the tragedy!

Re:

[r00t]

That could be a big problem, commonly a denial-of-service.

Suppose the app takes a lock (or similar) which requires privilege. This succeeds. The app then does something else which requires privilage, and fails.

If the app dies at this point, things are stuck. Hopefully a reboot can clear the problem. Depending on the nature of the app, you may well have database corruption.

BTW, maybe I shouldn't have referred to the first case as sloppy programming. It's perfectly legit on a traditional system that lacks the

Re:

[msuarezalvarez]

The resulting security problem has actually happened, with sendmail on Linux

And it was fixed. Ah, the tragedy.

old news

[Tom]

What a misleading article. There are some technical details that are new, but capabilities are extremely old and have been available for Linux for almost a decade. They haven't seen much use, and that's the part that might change, but filing this as a new development is stupid. It'll only invite the windos shills to claim that windos is so much better because they've had granular permissions for sooo long (yes, they had, for about the same time Linux did. same story, almost nobody uses them.)

Re:

[IkeTo]

> There are some technical details that are new, but capabilities are
> extremely old and have been available for Linux for almost a decade.

I don't think so. Process capabilities are there for a long time, but file capabilities has not been there (in other words, there is no file system that support letting users to set programs to be "setuid 0, but only allow sending signals to arbitrary processes, without any other special ability of the root user"). Without file capabilities, only programmers can

Re:

[cocacoch]

Since the so called sendmail capabilities bug there was no broad use of capabilities. But inside the kernel, capabilities "survived". If a process was asking for a privileged action like opening a privileged port, the process was checked for having the needed capability. As there was no way to grant a process a distinct capability the only way was to start this process in the context of root, who has by definition all capabilities. Now its possible to give the binary the extended attribute capability and if

Re:

[Monkius]

Well, there was and is broad use, I think. For example, grsecurity (http://www.grsecurity.org/) allow policies to be created wherein policies are granted and revoked to specific processes. Neither modification of programs nor file labelling is required. Selinux of course also allows administrators fine-grained control over capabilities--in a much more comprehensive framework than these file capabilities.

Re:

[cocacoch]

I'm accompanying this implementation with documentation and testing of file capabilities since more than a year. My impression is since the usage of capabilities is as simple as storing them in the file system and using the in-kernel infrastructure, there is wider interest in capabilities and more development in this field. Now you can control the power of programs and daemons/server, in a simple and intuitive way. You don't have to trust the program to decrease its capabilities. See here for examples http: [friedhoff.org]

Re:

[nuzak]

> (in other words, there is no file system that support letting users to set programs to be "setuid 0, but only allow sending signals to arbitrary processes, without any other special ability of the root user"

Doesn't it sound barkingly insane to say "run as a God User except only able to do X, Y, and Z?" Why indeed even have root in the first place? But that's still what these capabilities are -- set a single set of bits in a process (to all zeros no less) and let it do everything, THEN strip out what

Re:

[cocacoch]

If you grant the necessary capability, there is no reason to run the binary in the context of root. Just give enough power in the form of capabilities and you don't need and don't have any suid0 progs. Before the you had to rely on the root-started binary to reduce the set of capabilities itself. Now you start the binary in an unprivileged user context with just this needed set of capabilities.

More complexity = less security

[xtronics]

Be afraid of complexity junkies where security is involved.

I've used and supported both Windoze and Unix systems and find that the more complex file permissions are the more likely they are to be simply turned off. The Current Linux system works well enough and users can understand it well enough. These other fixes will only create 10 times the problems they claim to fix.

Re:

[Just Some Guy]

Be afraid of complexity junkies where security is involved.

I don't think that the OpenBSD folks [openbsd.org] are complexity junkies. OK, I'm not really up on all this stuff, but I think I get the gist of their thinking. Here's what I believe the pro-capabilities people would tell you:

You're advocating a false economy. Sure, capabilities are potentially complex and the implementation is hard to get right. Still, you only have to do it right one time and everything else benefits. In today's situation, we have things like "ping" running setuid root so that it can create r

Re:

[poopdeville]

You're advocating a false economy. Sure, capabilities are potentially complex and the implementation is hard to get right. Still, you only have to do it right one time and everything else benefits. In today's situation, we have things like "ping" running setuid root so that it can create raw sockets and Apache launching as root so that it can bind port 80 before dropping privileges.

Yup. If Debian came out with an apt package that implemented ACLs that just worked with apt, dozens of people around the world

Too much to hope for?

[glwtta]

Does this mean that I'll finally be able to allow servers to bind to port 80, without having to run the whole thing as root? Please?

Apache does pretty well with "downgrading" its running privileges, but many others, not so much.

Re:

[Nevyn]

Yes, CAP_NET_BIND_SERVICE is a distinct capability. See "man capabilities" on a Linux box, although you may also want to give it CAP_SYS_CHROOT ... depending on how paranoid you are.