Discussion:
[linux-elitists] Capabilities equivalent to root
Don Marti
2014-06-03 15:21:45 UTC
Permalink
Remember this article about which Linux capabilities
can be upgraded to full root access?

False Boundaries and Arbitrary Code Execution
http://forums.grsecurity.net/viewtopic.php?f=7&t=2522

Spengler: False Boundaries and Arbitrary Code Execution
https://lwn.net/Articles/421671/

Has anyone done an update? Are all these capabilities
still equivalent to root?
--
Don Marti
http://zgp.org/~dmarti/
***@zgp.org
Greg KH
2014-06-03 17:04:41 UTC
Permalink
Post by Don Marti
Remember this article about which Linux capabilities
can be upgraded to full root access?
False Boundaries and Arbitrary Code Execution
http://forums.grsecurity.net/viewtopic.php?f=7&t=2522
Spengler: False Boundaries and Arbitrary Code Execution
https://lwn.net/Articles/421671/
Has anyone done an update? Are all these capabilities
still equivalent to root?
Pretty much yes, as we can't change existing functionality without
breaking things that are working properly.

There are proposals for how to fix up the capability mess, it just
requires someone to do all of the dirty work in implementing it.

Or use user namespaces, in a container, which should give you good
enough confinment to not need to worry about capabilities anymore.

greg k-h

Loading...