blob: b1e524516de7931b2b10055960bfa9ddfb90bc18 [file] [log] [blame]
As of Linux 2.2.0, the power of the superuser has been partitioned
into a set of discrete capabilities (in other places, these
capabilities are know as privileges).
The contents of the libcap package are a library and a number of
simple programs that are intended to show how an application/daemon
can be protected (with wrappers) or rewritten to take advantage of
this fine grained approach to constraining the danger to your system
from programs running as 'root'.
Notes on securing your system
Adopting a role approach to system security:
changing all of the system binaries and directories to be owned by
some user that cannot log on. You might like to create a user with
the name 'system' who's account is locked with a '*' password. This
user can be made the owner of all of the system directories on your
system and critical system binaries too.
Why is this a good idea? In a simple case, the CAP_FUSER capabilty is
required for the superuser to delete files owned by a non-root user in
a 'sticky-bit' protected non-root owned directory. Thus, the sticky
bit can help you protect the /lib/ directory from an compromized
daemon where the directory and the files it contains are owned by the
system user. It can be protected by using a wrapper like execcap to
ensure that the daemon is not running with the CAP_FUSER capability...
Limiting the damage:
If your daemon only needs to be setuid-root in order to bind to a low
numbered port. You should restrict it to only having access to the
CAP_NET_BIND_SERVICE capability. Coupled with not having any files on
the system owned by root, it becomes significantly harder for such a
daemon to damage your system.
Note, you should think of this kind of trick as making things harder
for a potential attacker to exploit a hole in a daemon of this
type. Being able to bind to any privileged port is still a formidable
privilege and can lead to difficult but 'interesting' man in the
middle attacks -- hijack the telnet port for example and masquerade as
the login program... Collecting passwords for another day.
The /proc/ filesystem:
This Linux-specific directory tree holds most of the state of the
system in a form that can sometimes be manipulated by file
read/writes. Take care to ensure that the filesystem is not mounted
with uid=0, since root (with no capabilities) would still be able to
read sensitive files in the /proc/ tree - kcore for example.
[Patch is available for 2.2.1 - I just wrote it!]