aboutsummaryrefslogtreecommitdiff
path: root/doc/capability.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/capability.md')
-rw-r--r--doc/capability.md63
1 files changed, 63 insertions, 0 deletions
diff --git a/doc/capability.md b/doc/capability.md
new file mode 100644
index 0000000..cfad4c0
--- /dev/null
+++ b/doc/capability.md
@@ -0,0 +1,63 @@
+# Notes concerning wider use of capabilities
+
+## Overview
+
+**NOTE** These notes were added to the libcap package in
+libcap-1.03. They pre-date file capability support, but fully
+anticipate it. They are some thoughts on how to restructure a system
+to better leverage capability support. I've updated them to render as
+an `.md` formatted file.
+
+As of Linux 2.2.0, the power of the superuser has been partitioned
+into a set of discrete capabilities (in other places, these
+capabilities are know as privileges).
+
+The contents of the libcap package are a library and a number of
+simple programs that are intended to show how an application/daemon
+can be protected (with wrappers) or rewritten to take advantage of
+this fine grained approach to constraining the danger to your system
+from programs running as 'root'.
+
+## Notes on securing your system
+
+### Adopting a role approach to system security
+
+Changing all of the system binaries and directories to be owned by
+some user that cannot log on. You might like to create a user with
+the name 'system' who's account is locked with a '*' password. This
+user can be made the owner of all of the system directories on your
+system and critical system binaries too.
+
+Why is this a good idea? In a simple case, the `CAP_FOWNER` capability
+is required for the superuser to delete files owned by a non-root user
+in a _sticky-bit_ protected non-root owned directory. Thus, the sticky
+bit can help you protect the `/lib/` directory from a compromized
+daemon where the directory and the files it contains are owned by the
+system user. It can be protected to ensure that the daemon is not
+running with the `CAP_FOWNER` capability...
+
+### Limiting the damage
+
+If your daemon only needs to be setuid-root in order to bind to a low
+numbered port. You should restrict it to only having access to the
+`CAP_NET_BIND_SERVICE` capability. Coupled with not having any files
+on the system owned by root, it becomes significantly harder for such
+a daemon to damage your system.
+
+Note, you should think of this kind of trick as making things harder
+for a potential attacker to exploit a hole in a daemon of this
+type. Being able to bind to any privileged port is still a formidable
+privilege and can lead to difficult but _interesting_
+man-in-the-middle attacks -- hijack the telnet port for example and
+masquerade as the login program... Collecting passwords for another
+day.
+
+### The /proc/ filesystem
+
+This Linux-specific directory tree holds most of the state of the
+system in a form that can sometimes be manipulated by file
+read/writes. Take care to ensure that the filesystem is not mounted
+with uid=0, since root (with no capabilities) would still be able to
+read sensitive files in the `/proc/` tree - `kcore` for example.
+
+[Patch is available for 2.2.1 - I just wrote it!]
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-24 05:40:06 +0000