1

Sorry if this isn't the right QA forum. I couldn't think of where else to post this question.

The Linux kernel has supported capability-based security for quite some time but I don't see many distributions taking advantage of it. For example, if I want to fiddle around with packet filtering rules I just sudo su - like a madman and run iptables from the shell. If I want start/stop some VMs, boom it's sudo su - again and then virsh or whatever. This is horribly insecure and worse, it's easy to do something I didn't intend.

It seems like using capabilities would work better. If I want my user foo to be able to modify rules for network stack, I should

  1. Create a network_admin group
  2. Create a binary with CAP_NET_ADMIN that prompts the user for their password and then spawns a shell
  3. Set the permission bits on the binary so that only members of network_admin can start the shell
  4. Add foo to my network_admin group

This is essentially what most distros do with the sudoers or wheel group, except it's only one capability: full control of the system. I don't see any distros directly supporting something similar to this kind of capabilty-based admin workflow, and it makes me think I am misunderstanding the usefulness of such a setup.

Is there a good reason that most major distros still use sudo as a swiss-army knife instead of a more granular capability-based approach?

Ben Little
  • 13
  • If you're afraid iptables will do something beyond CAP_NET_ADMIN then I understand your concern. If you're afraid you will type something you didn't intend then IMO the first thing is not to start an elevated shell. I start an elevated shell only when there's a risk of locking myself out in a regular shell; and I still don't use it, it's there just in case. I run sudo specialized_command where needed, and I don't use sudo where not needed (including parts of pipelines). Working in an elevated shell is like sudo-ing an entire script. – Kamil Maciorowski Nov 08 '23 at 06:11
  • Thanks @KamilMaciorowski, I think the first part is more of my concern. I don't have time to audit every binary on my system and even if I did I don't have the expertise to identify every possible exploit. Perhaps more concerning than binaries that ship with the distro are tools where the recommended installation method is sh <(curl "whatever") and then you get a sudo prompt. – Ben Little Nov 08 '23 at 18:34

1 Answers1

1

The reliance on sudo in most Linux distributions over capabilities is largely due to its simplicity and the fine-grained control it provides over user permissions. Capabilities divide the power of the root into a set of discrete privileges which can be independently enabled or disabled for individual programs, but managing these can be complex and is often more granular than necessary for general use cases.

sudo allows system admins to delegate limited root access to users through the sudoers file, which can specify exactly which commands a user can run, as well as record what commands are being executed with root privileges for audit purposes. It also allows for a simple transition to root-level access without the need to manage multiple sets of capabilities across different programs, which can be error-prone and difficult to audit.

Capabilities are powerful, but their complexity and the level of detail required in their management mean they are generally used in more specialized circumstances rather than for routine daily operations.

Loni Venn
  • 46