root and capabilities list
martin.pitt at ubuntu.com
Tue Oct 14 18:37:27 UTC 2014
ds [2014-10-14 22:31 +0400]:
> Yes it is. the capability is set on exe file by the installer.
Ah, how does that work? I'm not aware of an ELF/kernel feature which
allows doing that, this sounds interesting?
> The exe itself should never acquire root ideally. Only has the
> limited subset of root powers CAP_SYS_RAWIO and CAP_SYS_MODULE
Note that at least CAP_SYS_MODULE is equivalent to root (as you can
load any local .ko which can then provide you with a backdoor into the
kernel), so from a security POV this doesn't help much. Of course
you'd drop both root privs and CAP_SYS_MODULE right after program
initialisation when you don't need them any more.
The other workaround would be if your project ships and udev rule
which makes the msr devices world readable. We don't currently have
any explicit rule for msr as far as I can see, so they are just using
the kernel defaults in devtmpfs. If open and read on them is
additionally protected by CAP_SYS_RAWIO, then world-readability should
not hurt indeed (note that I haven't verified this).
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
More information about the Ubuntu-devel-discuss