←back to thread

Linux Capabilities Revisited

(dfir.ch)
190 points Harvesterify | 5 comments | 22 Oct 25 13:50 UTC | HN request time: 0.563s | source
1. WhyNotHugo ◴[22 Oct 25 19:19 UTC] No.45673859[source]
I find Linux’s approach on capabilities underwhelming, and not even close to a true capability-based system.

For example, you can pass a program a capability to bind any privileged port, but not a specific one. For this scenario, just passing an fd bound to the port is actually much simpler and safer. For other capabilities, they’re just too coarse.

The fact that capabilities are implicitly inherited also doesn’t sound like a good approach on security. It’s likely like this due to backward compatibility, but I really think that capabilities ought to be passed explicitly, and we should be able to transfer them between processes. In fact, using an fd as a handle for capabilities would probably be a much clearer and explicit approach.

replies(4): >>45674780 #>>45676466 #>>45676774 #>>45678086 #
2. btilly ◴[22 Oct 25 20:31 UTC] No.45674780[source]
The use of a fd for access to a file is one of the places where Linux follows a capability model. Not coincidentally, this is a part of the Linux API which is has not proven a good target for attacks.
3. qu4z-2 ◴[22 Oct 25 23:29 UTC] No.45676466[source]
If they're not passed around as objects a la FILE*/fd they're not even really capabilities, just (sparkling) fine-grained ambient authority (which still has value to be clear).
4. ajross ◴[23 Oct 25 00:16 UTC] No.45676774[source]
This is misunderstanding what the feature is for. The point wasn't to architect a "capabilities-based system" from scratch (see LSM/selinux/apparmor for work in that space). It was to split up the very practical set of "things setuid is traditionally used for" into finer chunks.

The setuid binaries already existed, and this was a means to making them (much) more secure without API changes.

5. ploxiln ◴[23 Oct 25 04:10 UTC] No.45678086[source]
I feel like it was around 10 to 15 years ago that some people were excited to eliminate all the setuid on various binaries in a linux distro, by using linux file xattr capabilities. And eventually it became apparent that this wasn't such a great scheme; many capabilities can be used to escalate to full root, basically. So, yeah, I think this is known. It takes some effort to find some good write-ups from back then, but here we go: https://lwn.net/Articles/632520/ https://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c...