openvds-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Openvds-devel] Control Panel for OpenVDS-2

From: Joe Cooper
Subject: Re: [Openvds-devel] Control Panel for OpenVDS-2
Date: Mon, 14 Jan 2002 07:59:26 -0600
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.7) Gecko/20011221 
Wim Godden wrote:


Right. But, when using capabilities root is just another uid. It's no
different than any other user, except that it has all the capabilities,
while a regular user has none.
What we'll do is loose some capabilities before becoming a virtual root. For
example we'll loose the capabilities to mess up with the network intefaces,
the capability to insert modules in the kernel and all the other dangerous
things.



Then you'll have to take away quite a lot of capabilities... and remember that
if chroot is exploited, all your boxing-in won't help anymore... that's why I
believe this solution is not exactly the most secure...
I have questions about this as well...I'm not negative on the idea--any time you have a system that allows a user to log in and /do something/ the security issues have to be addressed. We were just lucky that the Unix gods have already mostly worked out user level security concepts for us 20 years ago. We now have to address a new concept: securing a root user in a chroot jail. It definitely isn't insurmountable, if the Linux kernel provides the tools we need to do it (I can't make that judgment at this point, probably Dave knows more than I on this?).
The FreeBSD Jail, mentioned here a few times in the past few days, is nothing more or less than the ability to create a user that can act as root within the jail, but has no capabilities (to use the Linux term) that could impact any other part of the system.
I do fear that a Linux implementation will be made more difficult because Linux has no jail option builtin, rather using real capabilities. Capabilties can certainly be more flexible...but flexibility isn't really what is needed or wanted. We just need a very specific task to be accomplished...of course, once someone has made the capabilties decisions, and audited them, and automated their usage, it matters little from the user perspective. Another problem is that I don't see how to prevent some chroot-breakers with the existing capabilities...but I may be wrong, as it is not an area of expertise for me. 
--
Joe Cooper <address@hidden>
http://www.swelltech.com
Web Caching Appliances and Support
reply via email to
[Prev in Thread] Current Thread [Next in Thread]