Features/ProtectingBinariesUsingCapabilities

= Protecting Binaries using Capabilities =

Summary
Change permissions of binaries (executables, and probably shared libraries as well) to make them non-writeable even by owner (usually root). This makes it more difficult for an exploit of a program running with restricted capabilities to overwrite binaries.

Owner

 * Name: Miloslav Trmac


 * Email: 

Current status

 * Targeted release:
 * Last updated: 2010-01-25
 * Percentage of completion: 15%

Detailed Description
In Fedora 12 several daemons (e.g. dhclient, bluez) were modified to drop unnecessary capabilities (Features/LowerProcessCapabilities), most importantly the "dac_override" capability, allowing the daemon to ignore file permission bits. This, in combination with removing some permissions from important system directories and files (such as /etc/shadow), has restricted the amount of damage that can be done by exploiting such daemons.

We can extend the protection to all executables by a simple addition to redhat-rpm-config (https://bugzilla.redhat.com/show_bug.cgi?id=556897 ). After applying this patch, executable files in all rebuilt packages would not be writeable, most often using mode 0555. Because shared libraries are usually executable on Linux, this protects most shared libraries as well; the protection can be explicitly expanded to all shared libraries.

I don't expect any problems from this change (it can affect only daemons that drop capabilities, and executables owned by other users than root); in the unusual case where making the executeable not writeable did case some problems, the packager could override the change by explicitly specifying the required permissions using %attr in the %files section of the spec file.

Benefit to Fedora
It will be more difficult to use exploited security vulnerabilities to damage the system.

Scope
A "build policy" (brp-*) script added to redhat-rpm-config, to be automatically run in at the end of %install. As far as I understand a mass rebuild is not planned for Fedora 13, so not all packages will be affected by this change. Security-critical packages can be intentionally rebuilt to take advantage of the change.

How To Test

 * Verify executables (and shared libraries) in packages built after the redhat-rpm-config change is applied have all "write" permissions unset.
 * Verify root, when operating from a command line, can still overwrite the binaries.
 * Verify yum can update the non-writeable executables correctly.
 * Verify prelink can relink the non-writeable executables correctly. (The root/yum/prelink cases should work because in all of these cases the process has the cap_dac_override capability.)
 * Run (capsh --drop=cap_dac_override --) as root to start a shell without dac_override. Verify root can not overwrite the binaries.

User Experience
No changes expected, except for a different output of (ls -l).

Dependencies
None.

Contingency Plan
Problems are not expected - but if they do arise, the package can use %attr to override the change. In the absolutely worst case, the redhat-rpm-config patch would be reverted and affected packages rebuilt.

Documentation

 * libcap-ng

Release Notes

 * Some executables and shared libraries in this Fedora release have their "write" permission bits reset, to make it more difficult for daemons running as root that have dropped the dac_override capability (notably dhclient) to overwrite these files. More executables be not writeable in future releases of Fedora.

Comments and Discussion

 * See Talk:Features/ProtectingBinariesUsingCapabilities