Enhancing security of your (Linux) system

First, you'll need to install kernel patch (unless Linus rolls it into mainstream kernel ;-) and do obvious steps as making and installing modified kernel. Then, you'll need some software for setting capabilities. It is called setcap; it can modify capabilities for existing executables without recompile, and is available below. Then comes the hard part: you need to decide which programs really need which capabilities. This is easy with programs like ping, but it may be pretty hard for programs like sendmail. I'm trying to write (trivial) tool, which has database of names, and list of capabilities each of "known" programs needs.

Notice that I'm not trying to give you maximum security possible. No. I want to give you good security, but compatibility with unix and usability of system are very importantant to me. Like Albert D. Cahalan said: "Create security enhancements that Red Hat can enable by default."

Elf capabilities hack

From now on, there's support for capabilities in elf executable. Elf executable now may contain "capabilities header", telling which capabilities should be dropped on exec. This can not hurt: lowering capabilities is not priviledged operation, and executable could do it itself at beggining of main.

Doing it in exec() time has certain advantages, through: you can easily look and what capabilities are in use by what program and you can set capabilities for existing executables without need to recompile. (It is hard to create tool which insers elfcap header into elf file. But it has been done. Inserting code to drop capabilities on the beggining of main would be nightmare.)

Notice that this system is very nice, but as described has limited use. It only lowers capabilities, and raising capabilities is what causes problems. (50% of security holes in unix are related to setuid0 programs). But wait: elfcap can easily be used to limit damage done by setuid0 programs. It needs only little trick: ability to set euid back to ruid. By setuid0, process gets all capabilities, and elfcap is free to drop that capabilities it does not want.

So, along with existing setuid mechanism, this hack can be used to grant subset of capabilities to executables. For example currently ping has to be setuid0. With elfcap, ping still will be setuid0, but most of its capabilities (and its euid) will be dropped at exec() time, so breaking into ping will allow attacker to generate arbitrary packets to network, but nothing more.

Summary of what can elfcap do:

For more info & utility programs, look at http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html.

Bad idea

I should empatize that it is bad idea to give suid0 to any program just because you have capabilities. If program did not have suid0 yesterday, it probably should not have suid0 today. (Think about booting old kernel, for example).



Pavel Machek