Linux – How to replace setuid with file-system capabilities

capabilitieslinuxSecuritysetuid

Inspired by this question here is the follow-up:

As some of you may know setuid-binaries are dangerous, since some exploits use these to escalate their rights up to root.

Now it seems that there has been an interesting idea to replace setuid with different, more secure means.

How?

Best Answer

File system capabilities in Linux were added to allow more fine-grained control than setuid alone will allow. With setuid it's a full escalation of effective privileges to the user (typically root). The capabilities(7) manpage provides the following description:

For the purpose of performing permission checks, traditional Unix implementations distinguish two categories of pro‐ cesses: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged pro‐ cesses (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivi‐ leged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

If an application needs the ability to call chroot(), which is typically only allowed for root, CAP_SYS_CHROOT can be set on the binary rather than setuid. This can be done using the setcap command:

setcap CAP_SYS_CHROOT /bin/mybin

As of RPM version 4.7.0, capabilities can be set on packaged files using %caps.

Fedora 15 had a release goal of removing all setuid binaries tracked in this bug report. According to the bug report, this goal was accomplished.

The wikipedia article on Capability-based security is good read for anyone interested.

Related Question