Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Further restriction of child processes capabilities (part 1) #7685

Closed
wants to merge 5 commits into from
Closed

Further restriction of child processes capabilities (part 1) #7685

wants to merge 5 commits into from

Conversation

alexey-tikhonov
Copy link
Member

@alexey-tikhonov alexey-tikhonov commented Nov 7, 2024
edited
Loading

Minimizes capabilities required by 'ldap_child'.

@alexey-tikhonov alexey-tikhonov force-pushed the caps-again branch 4 times, most recently from cc24140 to ab4e126 Compare November 9, 2024 10:38
@alexey-tikhonov alexey-tikhonov changed the title Further restriction of child processes capabilities Further restriction of child processes capabilities (part 1) Nov 9, 2024
@alexey-tikhonov alexey-tikhonov marked this pull request as ready for review November 9, 2024 13:32
@alexey-tikhonov
SPEC: untie capabilities of different binaries
f341889 
as those do not have to be the same
@alexey-tikhonov
LDAP_CHILD: replace 'cap_dac_override' with 'cap_dac_read_search'
a210312 
'cap_dac_read_search' is needed to read a keytab but 'cap_dac_override'
(that allows to bypass file write permission checks) shouldn't be required.
@alexey-tikhonov
LDAP_CHILD: don't require any capabilities besides 'cap_dac_read_search'
3763b6e
@alexey-tikhonov
LDAP_CHILD: require only 'cap_dac_read_search=permitted'
dcb52ab 
and raise to 'effective' when needed.
@alexey-tikhonov
Describe current capabilities usage.
618941b 
Take a note that usage of cap_dac_override + chown to create cache path
components could be changed to use cap_dac_override + (granted anyway) setuid,
but not sure if it's worth the trouble.
@andreboscatto andreboscatto removed the request for review from sumit-bose November 12, 2024 13:32
justin-stephenson
justin-stephenson approved these changes Nov 12, 2024
View reviewed changes
Copy link
Contributor

@justin-stephenson justin-stephenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, thank you.

@alexey-tikhonov alexey-tikhonov added the Ready to push Ready to push label Nov 18, 2024
@alexey-tikhonov
Copy link
Member Author

Pushed PR: #7685

  • master
    • 23d9c93 - Describe current capabilities usage.
    • 5ef1efc - LDAP_CHILD: require only 'cap_dac_read_search=permitted'
    • 942799d - LDAP_CHILD: don't require any capabilities besides 'cap_dac_read_search'
    • 7ce14e7 - LDAP_CHILD: replace 'cap_dac_override' with 'cap_dac_read_search'
    • b74fe65 - SPEC: untie capabilities of different binaries
  • sssd-2-10
    • a9023c7 - Describe current capabilities usage.
    • f344f3a - LDAP_CHILD: require only 'cap_dac_read_search=permitted'
    • b81a266 - LDAP_CHILD: don't require any capabilities besides 'cap_dac_read_search'
    • 53431f9 - LDAP_CHILD: replace 'cap_dac_override' with 'cap_dac_read_search'
    • afd7754 - SPEC: untie capabilities of different binaries

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justin-stephenson justin-stephenson justin-stephenson approved these changes

@pbrezina pbrezina pbrezina approved these changes

Assignees

@justin-stephenson justin-stephenson

@pbrezina pbrezina

Labels
branch: sssd-2-10 non-privileged Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alexey-tikhonov @justin-stephenson @pbrezina