Bug 2600 - Use Linux capabilities to revoke additional permissions from chrooted users
Summary: Use Linux capabilities to revoke additional permissions from chrooted users
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 7.2p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2016-07-21 00:16 AEST by Jakub Jelen
Modified: 2016-07-21 00:16 AEST (History)
0 users

See Also:

Attachments
Configure integration of libcap-ng and its usage related to chroot (3.68 KB, patch)
2016-07-21 00:16 AEST, Jakub Jelen 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Jelen 2016-07-21 00:16:32 AEST 
Created attachment 2857 [details]
Configure integration of libcap-ng and its usage related to chroot

This report is closely related to the bug #2482, reported some time ago and it is attempting to resolve old chicken-egg problem with chroot (in combination with SELinux), but it can make sense also to the normal Linux to drop additional privileges earlier (or in the other parts of code).

With SELinux, we can avoid giving out  setuid, setgit  capabilities to the very limited SELinux users which is very desirable (we can't switch SELinux context in chroot, so we had to have these permissions to drop uid and gid).

The new behavior drops all capabilities (except SYS_CHROOT) before chroot and the SYS_CHROOT capability just after it. Even if the first attempt fails (prevented by SELinux), the privileges are dropped as before using permanently_set_uid().

This patch is implemented using libcap-ng [1] library, which is making the use of the Linux capabilities much easier than the native inteface (the patch can build with or without it).

[1] https://people.redhat.com/sgrubb/libcap-ng/