[Please CC me on responses and accept my apologies for breaking threads -
I'm not on the list]
Ulf Lamping wrote:
>P.S: I don't say anything against the patch, it's just that it would be
>nice if I would understand how it's working. Some more comments in the
>code would be really nice :-)
Greg already forwarded some of my pointers on the capabilities model in
Linux. In addition to those, there is
http://linux.omnipotent.net/article.php?article_id=5480
What the patch does:
* On most non-Linux systems: effectively nothing - most non-Linux systems do
not support the POSIX capabilities model.
* On Linux, when running (t)ethereal as a regular user (e.g. to analyse an
already captured stream): effectively nothing as a regular user does not
have special capabilities.
* On Linux, when running (t)ethereal as root: drop all the special
capabilities a root process has, except for the one needed for
(t)ethereal's intended operation: the capability to sniff network
interfaces.
The (t)ethereal process continues to work as expected, but with the
minimal amount of priviledges needed. Should a cracker be able to exploit
a vulnerability in it, she ends up having control over a process that
does not have all root capabilities. Thus, the system would be compromised
only in a limited fashion, rather than completely.
How it does it:
* [config.h.in, configure.in] Check for the availability of libcap. If it is
available, use it (unless explicitly told otherwise) by adapting LIBS and
defining HAVE_LIBCAP.
* [util.c, util.h] Implement dropexcesscapabilities() which drops
all capabilities except CAP_NET_RAW; all wrapped in #ifdef HAVE_LIBCAP
* [gtk/main.c, tethereal.c] Call dropexcesscapabilities() (when available)
at the start of main().
Hope this clarifies things,
Ray
--
PATRIOTISM A great British writer once said that if he had to choose
between betraying his country and betraying a friend he hoped he would
have the decency to betray his country.
- The Hipcrime Vocab by Chad C. Mulligan
