←back to thread

Linux Capabilities Revisited

(dfir.ch)
190 points Harvesterify | 1 comments | 22 Oct 25 13:50 UTC | HN request time: 0s | source
Show context
WhyNotHugo ◴[22 Oct 25 19:19 UTC] No.45673859[source]
I find Linux’s approach on capabilities underwhelming, and not even close to a true capability-based system.

For example, you can pass a program a capability to bind any privileged port, but not a specific one. For this scenario, just passing an fd bound to the port is actually much simpler and safer. For other capabilities, they’re just too coarse.

The fact that capabilities are implicitly inherited also doesn’t sound like a good approach on security. It’s likely like this due to backward compatibility, but I really think that capabilities ought to be passed explicitly, and we should be able to transfer them between processes. In fact, using an fd as a handle for capabilities would probably be a much clearer and explicit approach.

replies(4): >>45674780 #>>45676466 #>>45676774 #>>45678086 #
1. qu4z-2 ◴[22 Oct 25 23:29 UTC] No.45676466[source]
If they're not passed around as objects a la FILE*/fd they're not even really capabilities, just (sparkling) fine-grained ambient authority (which still has value to be clear).