[Bug 2600] New: Use Linux capabilities to revoke additional permissions from chrooted users

Thu Jul 21 00:16:32 AEST 2016

https://bugzilla.mindrot.org/show_bug.cgi?id=2600

            Bug ID: 2600
           Summary: Use Linux capabilities to revoke additional
                    permissions from chrooted users
           Product: Portable OpenSSH
           Version: 7.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Keywords: patch
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 2857
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2857&action=edit
Configure integration of libcap-ng and its usage related to chroot

This report is closely related to the bug #2482, reported some time ago
and it is attempting to resolve old chicken-egg problem with chroot (in
combination with SELinux), but it can make sense also to the normal
Linux to drop additional privileges earlier (or in the other parts of
code).

With SELinux, we can avoid giving out  setuid, setgit  capabilities to
the very limited SELinux users which is very desirable (we can't switch
SELinux context in chroot, so we had to have these permissions to drop
uid and gid).

The new behavior drops all capabilities (except SYS_CHROOT) before
chroot and the SYS_CHROOT capability just after it. Even if the first
attempt fails (prevented by SELinux), the privileges are dropped as
before using permanently_set_uid().

This patch is implemented using libcap-ng [1] library, which is making
the use of the Linux capabilities much easier than the native inteface
(the patch can build with or without it).

[1] https://people.redhat.com/sgrubb/libcap-ng/

-- 
You are receiving this mail because:
You are watching the assignee of the bug.