Fedora 11: moving to posix file capabilities?

[Colin Walters]

On Wed, Oct 29, 2008 at 3:13 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>
> 1) We've spent a lot of time on getting audit right. We can tell what account
> was logged in under and find every single application that was started as a
> result of that login. Message passing breaks this.

True, though how interesting is the question of "what binaries were
executed" as opposed to the system having enough intelligence to
display security-relevant information? Also:

> 2) There is no accountability for what actions are performed for each user.
> The audit system cannot tell who something was done for.

Should be easy to add such auditing; actually I think we do want to
have dbus audit on system activation regardless of PolicyKit.

> 3) There is yet another MAC policy with no auditing of access decisions.

Duplicate of 2)?

> 4) Setuid apps get special treatment from ld.so and other things so that
> certain actions cannot be performed like ptrace or LD_PRELOAD.

Right, but with message passing you don't have to worry about
ptrace/LD_PRELOAD and all the other problems inherent in a
parent-child exec relationship.

> 5) Setuid apps can be found quite easily and they are well known and well
> reviewed for bugs. If you want admin only use, its easy to take off the
> setuid bit.

It's actually quite a bit easier to review say PolicyKit mechanisms
for bugs because they don't have to worry about dropping privileges,
etc.  As for the sysadmin impact, yes, there is a concern there but
there is documentation:
http://hal.freedesktop.org/docs/PolicyKit/PolicyKit.conf.5.html


Anyways, I don't want to completely derail this discussion on fcap
into suid-vs-PolicyKit; using fcap for things like ping makes sense.
I just wanted to note that we would prefer upstream work to focus
around PolicyKit or a system-user daemon split like NetworkManager.