[cap-talk] Applications for a capability platform - PLASH discussion

Mark Seaborn mrs at mythic-beasts.com
Tue Mar 11 18:46:31 EDT 2008 

Jed Donnelley <jed at nersc.gov> wrote:

> How do I run "chmod" under PLASH?

The FsObjReal objects [1] (the basic level wrapping POSIX to provide
an object-based interface) pass chmod() calls on to the underlying
filesystem in most cases.

The motivating case was to allow setting the "x" (executable) bit,
which generally doesn't play any useful access control role but just
distinguishes executable files from non-executables.  For example, if
you run gcc inside Plash to build an executable, you might gcc's
setting of the "x" bit to get propagated to the real file so that you
can use the executable outside of Plash without having to set the "x"
bit yourself.

The decision to propagate through chmod() might be worth revisiting as
use cases change.

You can always disallow chmod() on files/directories by wrapping the
file/directory objects.

There was originally a bug in that FsObjReal would allow setting the
setuid/setgid bits of the permissions with chmod() [2].  While the
process running under Plash could not exploit this by itself (because
Plash does not implement setuid/setgid executables at all), other
users' processes could conspire to exploit it.

Another problem that requires another process to conspire is [3],
which is interesting because it is caused by combining two access
control models, and I haven't found a way to solve it in all cases.

In any case, Plash does not interpret permissions bits in any other
way other than to prevent the setuid/setgid bits being set.

[1] http://plash.beasts.org/wiki/FsObjReal
[2] http://plash.beasts.org/wiki/PlashIssues/SetuidBitVulnerability
[3] http://plash.beasts.org/wiki/PlashIssues/HardLinkVulnerability


> >> Hmmm.  Of course much (most?) of the GNU suite of software was
> >> available 10 years ago.
> > 
> > Yes. But outside of a few developers, nobody gives a damn (or should).
> > The applications that actually deliver value to the world at large are
> > things like Evolution (email), Firefox (browsing), and OpenOffice. It is
> > also noteworthy that NONE of these are GNU applications.

Actually Evolution is part of GNOME, which is part of GNU, though that
doesn't necessarily mean very much.

Regards,
Mark

More information about the cap-talk mailing list