←back to thread

Linux Capabilities Revisited

(dfir.ch)
190 points Harvesterify | 1 comments | 22 Oct 25 13:50 UTC | HN request time: 0.215s | source
Show context
surajrmal ◴[22 Oct 25 14:42 UTC] No.45669852[source]
A shared global namespace ultimately makes it very difficult to have a decent capability based security system. Namespaces limited to the set of actions you have and a hierarchy of capabilities whereby children can only be given access to capabilities their parents have is required for a sane view of how things work. Much like encapsulation makes it easier to reason about abstractions in a program, this nested hierarchy of capabilities makes it easier to reason about the privilege of various parts of the system. Instead we have soup where no one can quite reason about what has access to what.
replies(6): >>45670120 #>>45670198 #>>45670857 #>>45671117 #>>45671465 #>>45674367 #
1. marcosdumay ◴[22 Oct 25 16:21 UTC] No.45671465[source]
> whereby children can only be given access to capabilities their parents have

The one thing that makes capabilities usable is that they don't need to follow that rule.

If you don't have processes that let your programs get capabilities from any source other than their creation, you are better just adding your program names into your ACLs.