Expert: Linux capabilities don't add security
The developer behind the grsecurity project, Brad Spengler, has pointed out that most of the privilege control capabilities implemented under Linux carry a significant potential for compromising a system and wreaking other havoc.
The intended purpose of capabilities is to prevent precisely that by restricting services and processes to certain operations and specific resources. Among other things, they aim to reduce the effects of successful attacks and can, for example, prevent an exploit for an office tool from installing a back door because the office tool doesn't have the capabilities required for binding services to network ports. Capabilities can also make it unnecessary to use SUID – Ubuntu and Fedora are considering this approach. OpenWall has reportedly already implemented it in version 3.0, which was released towards the end of December: The standard installation doesn't contain a single SUID program.
Spengler, whose grsecurity project promotes a role-based access system, has examined 35 of the Linux capabilities for their vulnerability to exploitation in case of an attack. According to the researcher, 21 of the capabilities do potentially allow attackers to escalate their privileges or otherwise manipulate a system after they've hacked a service.
For instance, CAP_SYS_ADMIN allows file systems to be unmounted and mounted, which potentially enables attackers to mount their own file system on top of the original one and replace existing programs with arbitrary code. Spengler says that CAP_NET_ADMIN allows the firewall to be configured for packet redirection. This potentially enables attackers to redirect a system's sshd connections to an arbitrary server, grab users' log-in credentials and subsequently use them for accessing systems.
The visitors of lwn.net have expressed various opinions about whether the scenarios are too contrived. For instance, many of the described attacks are apparently only successful under special conditions. Some users have even accused Spengler of deliberately trying to discredit the capabilities approach in order to scare users into choosing his grsecurity solution.
Meanwhile, Dan Rosenberg has released a local root exploit on the Full Disclosure mailing list. A flaw in the Phonet protocol in combination with CAP_SYS_ADMIN allows the exploit to open a local root shell. However, the exploit is said to only run on 32-bit systems with specific components – apparently, Ubuntu 10.10 is one of them.