cvs checkout

Robert Watson rwatson at FreeBSD.org
Fri Sep 7 14:49:09 GMT 2001 

On Thu, 6 Sep 2001, Ilmar S. Habibulin wrote:

> On Thu, 6 Sep 2001, Robert Watson wrote:
> 
> > A new patchset for capabilities should be due out soon, and will actually
> > be going to freebsd-arch as well for review with the intent of committing
> > it soon (I've been committing supporting components for Capabilities over
> > the last week or two, but to make much more progress I need to commit the
> > kernel code for them).
> Would capabilities be introdused as a feature in 5.0-release or there are
> plans to hardly integrate it with the rest of the system? Some programs
> need to be rewritten in order to function properly with capabilities
> enabled. I tried to start X-server without suid bit with full caps enabled
> - it told me that SUID excution is the only way it works. ;-)

There are a number of programs in the system with the problem you describe
-- for example, I know that both the SSH client and server make tests
based on uid to determine how they should behave, rather than trying the
operation and testing for failure.  My expectation is that:

- Kernel support for capabilities will be complete in FreeBSD 5.0-RELEASE.
- This will include support for associating capabilities with executables
  using extended attributes (the last few patches posted do this, and
  Thomas Moestl's latest work teaches the FreeBSD installation make files
  about how to set the up properly).
- Many userland setuid utilities will have been taught how to detect if
  the system has capabilities enabled, how they gained what privilege they
  have, and how to appropriately manage that privilege.
- Some key third party applications will have been adapted, including X
  Windows.

I am certain we will ship the system with setuid root applications
included and used by default, and with root privilege enabled.  I believe
that we'll have the system in a state where that can be turned off with an
appropriately tweaked set of file system modes and capability sets, and
that much of the base system will operate correctly.  It will be possible
to run a "hybrid" privilege model system where both uid 0 has privilege,
and privilege may be gained and managed using capabilities, but that the
two models will be "independent", both sufficient to gain privielge.  This
will prevent security problems of the sort present previously in Linux by
virtue of setuid applications expecting uid 0 to offer full privilege.

The degree to which this happens will depend on how successful we are in
the userland integration--in particular, how well we can modify
applications to behave correctly both as setuid and with capabilities.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services




To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list