current-users: Re: Miscellaneous OS features: capabilities

Subject: Re: Miscellaneous OS features: capabilities
To: None <current-users@NetBSD.org>
From: David Young <dyoung@pobox.com>
List: current-users
Date: 08/10/2003 21:14:16
On Fri, Aug 08, 2003 at 07:39:22AM -0400, Sporleder, Matthew (CCI-Atlanta) wrote:
> Speaking of de-rooting-
> Could you just add a /dev/ports/ directory or something along those lines to
> then chown specific ports to any user you wanted: <daemon>d, for example?

  Take it a step further. Grant the daemon *process* only the privileges
  it needs, using the imaginary "cap" command.

CAP(1)                       NetBSD Reference Manual                     CAP(1)

NAME
     cap - an imaginary program which runs a command with restricted
           privileges

SYNOPSIS
     cap [capabilities] [command [arguments]]

DESCRIPTION
     cap runs a command with only the capabilities assigned to it on the
     cap command line. Capabilities are assigned using the options -u,
     -c, -C, -m, -b, -l, -R, -i, -o, -s, -r, -w, -a, and -x.

     -b port/proto       command may bind the given port
     -l port/proto       command may listen(2) for connections on the
                         given port
     -R host:port/proto  command may connect(2) to the given host/port
     -i nblocks          command may read only nblocks blocks from any
                         disk in a second
     -o nblocks          command may write only nblocks blocks from any
                         disk in a second
     -s nblocks:dev      command may store only nblocks blocks on the
                         block device dev
     -r filename         command may read from the given file
     -w filename         "       "   write to  "   "     "
     -a filename         "       "   append to "   "     "
     -x filename         "       "   execute   "   "     "
     -n filename         "       "   create    "   "     "
     -c secs             command (and children if -g; see below) may use
                         at most secs seconds, total.
     -C millisecs        command (and children if -g; see below) may run
                         for at most millisecs milliseconds in a second.
     -m size [k|m|p]     maximum core size for this command and all of its
                         children in kilobytes (k), megabytes (m), or pages (p)
     .
     .
     .

     Run a command with no capabilities to find out the minimal
     capabilities it requires, if that information was compiled
     into the executable.

     There is a capability modifier, -g. All of the capabilities following
     -g may be delegated to child processes.

     Et cetera, et cetera.

Dave

-- 
David Young             OJC Technologies
dyoung@ojctech.com      Urbana, IL * (217) 278-3933