-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathprivileges.page
98 lines (85 loc) · 4.41 KB
/
privileges.page
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<!--
Copyright (c) 2006-2012 Robert N. M. Watson
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-->
<page role="privileges">
<title>TrustedBSD POSIX.1e Privileges</title>
<section>
<title>TrustedBSD POSIX.1e Privileges</title>
<html>
<!--
<p>
<span id="collection-label">Perforce:</span>
<span id="cvsup-collection">//depot/projects/trustedbsd/cap/...</span>
</p>
-->
<p><b>In this past, this project was referred to as fine-grained
capabilities, but due to a vocabulary conflict with the <i>capability
system model</i> used in Capsicum, it has been renamed
to fine-grained privileges. Information in this page currently refers
to a FreeBSD 5.x-era project to support fine-grained
privileges.</b></p>
<p><b>In FreeBSD 7.0, the <a
href="http://www.freebsd.org/cgi/man.cgi?query=priv">priv(9) KPI</a>
was introduced, classifying all kernel uses of privileges and
exposing this information to a centralised kernel component.
The kernel's <a href="mac.html">mandatory access control framework</a>
allows MAC policy modules to deny (and grant) privileges, but
FreeBSD does not currently provide a userspace API for privilege
management.
Discussion below is historical.</b></p>
<hr />
<p>POSIX.1e breaks root privilege into a set of privileges
(historically referred to as "Capabilities"), which allow the
granting of specific privilege requirements for POSIX calls, such
as setuid().
POSIX.1e defines extension to process and file state to allow
privileges to be granted to processes, either by inheritence or
a file privilege model similar to setuid/setgid.</p>
<p>The TrustedBSD privileges project is currently inactive, but an
implementation of POSIX.1e privileges for an older FreeBSD release
is available and functional, and may be found in Perforce.
Certain key files are provided in a tarball for download on this
page.</p>
<p>The reason that these changes have not yet been integrated into
FreeBSD is that they represent a substantial risk, as they change
the superuser privilege model, and there have been a number of
vulnerabilities in other operating systems relating to both
implementation and logic errors with fine-grained privileges, and
this implementation has seen insufficient review.
Also, the in-kernel API for privilege checking is limited to a
32-bit or 64-bit privilege mask, which does not offer room for
sufficient future growth in privileges, or further fine-graining.</p>
<p>Up-to-date versions of the kernel API changes to perform
fine-grained privilege checking, without the privilege model
itself, may be found in the <a href="sebsd.html">SEBSD branch</a>,
and include modifications to the TrustedBSD MAC Framework to allow
MAC modules to deny privilege based on the POSIX.1e privilege
categories.</p>
<p>2006-03-26 FreeBSD 5.0 POSIX.1e privileges reference files
snapshot. These are reference BSD-licensed POSIX.1e privilege
files derived from an early TrustedBSD implementation, and do
not represent a complete or supported implementation. Download
<a href="downloads/20060326-cap.tgz">20060326-cap.tgz</a> (60K).</p>
</html>
</section>
</page>