[ubuntu-hardened] File Posix Capabilities in Jaunty
Kees Cook
kees at ubuntu.com
Fri Mar 13 17:03:20 GMT 2009
On Fri, Mar 13, 2009 at 05:15:52AM -0700, Jeff Schroeder wrote:
> On Fri, Mar 13, 2009 at 12:41 AM, Michal Zimen <michal.zimen at gmail.com> wrote:
> > I mean capabilities described for example in this article:
> > http://www.friedhoff.org/posixfilecaps.html
> >
> >
> > It would be better to have system without SUID executable files. Afterall,
> > it is not so complicated:)
>
> I've not touched this since roughly a dapper timeline but it would be
> a good start.
> https://wiki.ubuntu.com/Security/Investigation/Setuid
Many things on this list use their setuid to gain a cap and then drop privs
(iirc, that's the "de-rooted: yes" ones). I think "capabilities" column
here means "could be done with fscaps".
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-hardened
mailing list