Ticket #7562 (new defect)

Opened 5 years ago

Last modified 5 years ago

Reducing root's capabilities.

Reported by: cscott Owned by: cscott
Priority: normal Milestone: 9.1.0-cancelled
Component: security Version: not specified
Keywords: Cc: mstone, dsaxena
Action Needed: never set Verified: no
Deployments affected: Blocked By:
Blocking: #7397

Description

Dropping some capabilities of root in the olpcrd (init, pid 1) before the rest of the system has been started, has been mentioned as a way to avoid disabling root completely.

Change History

Changed 5 years ago by cscott

  • cc dsaxena added

Some of the capabilities that would need to be dropped: 

CAP_SYS_TIME (maybe a narrower cap would be useful)
CAP_SYS_RAWIO (to prevent working around CAP_SYS_TIME)
CAP_SYS_MODULE (to avoid rewriting the kernel)
CAP_SYS_BOOT (to disable kexec_load)

I don't have high confidence that this list is complete: it may be possible to use other root capabilities to work around the lack of the above capabilities. Hard Thinking required. But the above would be a start.

Note that removing CAP_SYS_RAWIO will probably break X, and removing CAP_SYS_BOOT may disable reboot (unless we work around it by asking the EC).

Changed 5 years ago by cscott

These should be dropped only if security is enabled (wp and no dev key or dk).

Changed 5 years ago by gnu

This discussion is insane. But you're playing out the script of DRM, which is that absolutely everything needs to be restricted, one step at a time to avoid disturbing the slowly heating crustaceans. Turning off root's capabilities, system-wide, has no place in a free software-based system.

Changed 5 years ago by kimquirk

  • milestone changed from 8.2.0 (was Update.2) to Future Release

Changed 5 years ago by cscott

  • milestone changed from Future Release to 9.1.0

See also #3914, which discussed protecting kernel memory only.

Note: See TracTickets for help on using tickets.