[cap-talk] Capabilities - the rub, an account

Jed at Webstart donnelley1 at webstart.com
Tue Nov 21 17:29:01 CST 2006 

At 11:22 AM 11/18/2006, Sandro Magi wrote:
>Jed at Webstart wrote:
> > The most important factor in this area I think is that any
> > proxying disappears when the active process doing the
> > proxying goes away - as it inevitably does in many cases
> > (often at a logout, a kill, but certainly when a system restarts
> > in today's systems).
>
>Mallware, adware, etc. can install themselves as startup/boot services.

Certainly.  This doesn't mean that the ACL people (alternative terminology
for the majority of the IT world gladly accepted) still don't consider
proxying less of a threat because the proxying processes disappear
on reboot.

> > Another factor I believe is that such proxying doesn't seem
> > to be a practical problem from the security viewpoint.  Others
> > can correct me, but I don't know of any instances of script
> > kitties or the like installing proxy access.  I think part of the
> > reason they don't is that such access isn't permanent enough
> > to suit their needs (see above about the limited lifetime of
> > processes).
>
>I think proxy access isn't used because it isn't necessary yet; far too
>many easier exploits are still available. I mean, why go through all
>this trouble when you can root a machine with a simple Javascript
>script? Proxying will become more viable with increased security.

I agree.  It's even a bit difficult to distinguish between, say, an
installed trojaned sshd (which we've seen recently) and a proxy.
In some senses they are similar - though perhaps with different
implementations.

Still, from the perspective of the identity (acl) folks, it's the fact
that an identity has been usurped (root in the sshd case) that's
the basis of the problem.  From their perspective that's as it
should be.  Fix that identity usurpation and the problem is
corrected.  No "dangling" capabilities that aren't tied to
identities that you need to worry about that might have carried
off permissions that should be cut off when the identity is
again restricted to its rightful owner.

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list