[Apparmor-general] setuid/setgid: target user

[Crispin Cowan]

Andreas Hasenack wrote:
> The traceroute program I have is SUID root:
> -rwsr-xr-x 1 root bin 18K Jan 28 21:17 /usr/sbin/traceroute
>
> but it tries to drop privileges. So, it needs the setuid/setgid
> capability:
>
> REJECTING access to capability 'setgid' (4700 profile /usr/sbin/traceroute active /usr/sbin/traceroute)
> REJECTING access to capability 'setuid' (4700 profile /usr/sbin/traceroute active /usr/sbin/traceroute)
>
> But I'm wondering: is there someway to specify that this capability can
> only be used for root to become user foobar?
Unfortunately no, that's not how POSIX.1e capabilities work.

It is also not how AppArmor works; AA is deliberately oblivious to the
UID of the confined process, so that the confinement works on root just
like everyone else.

JJ has some ideas for user-oriented stuff, but nothing concrete on our
development road map. Feel free to propose what you would like it to do.

Caveat: changing AppArmor semantics is a nest of hazards. We have really
long meetings about things like that, and most often return to the
status quo. If I respond to a proposal with the list of consequences
that turn out to be worse than the problem the change is trying to
solve, it is not because I don't appreciate & welcome suggestions :-)

>  If I just add these two
> capabilities to the traceroute profile, the process would be allowed to
> become any user, and not just the intended low privilege one, right?
> Assuming some exploit, I mean.
>   
Kind of. Without AppArmor, your traceroute is running as root (because
of the setuid root) and so it has all of the POSIX.1e capabilities, not
just the few that are in your AppArmor profile. AppArmor basically takes
away all of the POSIX.1e capabilities, and then gives back the ones that
you say.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com
	AppArmor Chat: irc.oftc.net/#apparmor