libhal-policy -> PolicyKit
Artem Kachitchkine
Artem.Kachitchkin at Sun.COM
Wed Mar 8 11:21:00 PST 2006
> Capabilities work fine. Unfortunately there is no way to selectively
> grant them AFAIK. The program must basically be started as root,
> call prctl(PR_SET_KEEPCAPS), setuid() to some unprivileged user and
> drop the unneeded capabilties. Ie ping still has to be setuid root,
> there is no flag in the filesystem that says /bin/ping gets
> CAP_NET_RAW.
Yes, the OS could use filesystem attributes for privilege/capability
information, but not necessarily. In Solaris we have a database of "execution
profiles", which tie together executables with privileges and authorizations.
Right now it doesn't happen automagically, the command must be run under
"pfexec" wrapper, i.e. you run 'pfexec cdrecord -scanbus' instead of just
'cdrecord -scanbus'. But there is an effort under way to integrate profiles
better so it happens transparently.
Funny you should mention ping, it is also set-uid in Solaris. After so many
years the concept of "setuid is evil" has stuck in our heads that it's hard to
realize how an executable can be setuid and least privilege at the same time.
What ping in Solaris does, the very first thing in main(), is permanently drop
all privileges it won't need, running least privilege from that point on. So the
difference really is whether the system drops the privileges for you, or you
drop the privileges yourself. The former is easier for developers, but they are
both equal in terms of security.
-Artem.
More information about the hal
mailing list