• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Overview
2--------
3
4As of Linux 2.2.0, the power of the superuser has been partitioned
5into a set of discrete capabilities (in other places, these
6capabilities are know as privileges).
7
8The contents of the libcap package are a library and a number of
9simple programs that are intended to show how an application/daemon
10can be protected (with wrappers) or rewritten to take advantage of
11this fine grained approach to constraining the danger to your system
12from programs running as 'root'.
13
14Notes on securing your system
15-----------------------------
16
17Adopting a role approach to system security:
18
19changing all of the system binaries and directories to be owned by
20some user that cannot log on. You might like to create a user with
21the name 'system' who's account is locked with a '*' password. This
22user can be made the owner of all of the system directories on your
23system and critical system binaries too.
24
25Why is this a good idea? In a simple case, the CAP_FUSER capabilty is
26required for the superuser to delete files owned by a non-root user in
27a 'sticky-bit' protected non-root owned directory. Thus, the sticky
28bit can help you protect the /lib/ directory from an compromized
29daemon where the directory and the files it contains are owned by the
30system user. It can be protected by using a wrapper like execcap to
31ensure that the daemon is not running with the CAP_FUSER capability...
32
33
34Limiting the damage:
35
36If your daemon only needs to be setuid-root in order to bind to a low
37numbered port. You should restrict it to only having access to the
38CAP_NET_BIND_SERVICE capability. Coupled with not having any files on
39the system owned by root, it becomes significantly harder for such a
40daemon to damage your system.
41
42Note, you should think of this kind of trick as making things harder
43for a potential attacker to exploit a hole in a daemon of this
44type. Being able to bind to any privileged port is still a formidable
45privilege and can lead to difficult but 'interesting' man in the
46middle attacks -- hijack the telnet port for example and masquerade as
47the login program... Collecting passwords for another day.
48
49
50The /proc/ filesystem:
51
52This Linux-specific directory tree holds most of the state of the
53system in a form that can sometimes be manipulated by file
54read/writes.  Take care to ensure that the filesystem is not mounted
55with uid=0, since root (with no capabilities) would still be able to
56read sensitive files in the /proc/ tree - kcore for example.
57
58[Patch is available for 2.2.1 - I just wrote it!]
59