3

In Linux, do sudo and su belong to Capability-based security ?

For example, when editing a system file, we usually need sudo or su to temporarily switch to user root. Does this example belong to capability-based security, or to protection rings? Does this example need some system call to the kernel, or just the privillege of user root, or both?

What are other approaches in Linux that belong to Capability-based security?

Are sudo and su the only approach that belong to Capability-based security?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Tim
  • 617
  • 2
  • 7
  • 16

2 Answers2

6

In fact, the sudo and su programs are not parts of either security model for several reasons.

  1. Protection rings are referring to the memory/CPU access permissions and in the user-space the only access is to files.
  2. Capabilities refer to process permissions and as independent programs they are a separate process than the caller and do not inherit or give away any of their capabilities onward.
  3. They are independent software programs that are not affected or affecting the OS in any way.

Some background may be relevant here:
In Unix and Linux there are two levels of permissions: standard user and superuser (usually called root).
The standard user has access only to the files that he has permissions for, by ownership, group membership or ACL.
The superuser has permissions to everything (we'll ignore stuff like SELinux and the like for this answer) without limits within the userspace.

This presents a major hurdle to overcome, since a standard user doesn't have access to system files how could something like a password change be performed? For a password change, the user must write to the /etc/passwd or the shadow file (it's location varies between different Unix flavors).

In order to support this and similar cases, Unix systems have introduced a way to grant special permissions called the suid bit. This is a bit in the filesystem that when set on an executable allows it to gain the privileges of the file owner rather than the calling user.

Sudo and Su use this mechanism to allow a user to set it's effective permissions to those of someone else (usually the superuser, but not always) so they can run normal programs that do not have their suid flag set, as a user other than the one they logged in as.

Didi Kohen
  • 688
  • 1
  • 5
  • 9
  • 1
    `Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure.` Are you sure su and sudo don't come under capability based security! –  Sep 09 '14 at 20:15
  • 2
    Yes, since they do not share capabilities, and is very far from the principle of least privilege since most uses of the sudo and su programs is used to run a program as root without it aware that it was run by sudo. – Didi Kohen Sep 10 '14 at 10:54
  • Thanks for clarifying. A +1 for you,also I edited my answer and corrected the wrong section! I wasn't sure about their not sharing capabilities! –  Sep 10 '14 at 13:44
2

In Linux,sudo and su belong NEITHER to capability-based security,NOR to Protection Rings!

Capability Based Security are kinda software or program specific with a minimum implementation level(sudo and su don't share any capabilities and they have and are very far from the principal of least privilege!),whereas Protection Rings enforce everything right from the level of processor/CPU(sudo and su has nothing to do with processor or hierarchical architecture)!

Sudo is used to run a particular command with root permissions. The interesting thing is that when you use sudo for a particular command, system prompts you for current user’s password. Once you enter the password, the command runs with root privileges.

Su is used to switch to any user account. System prompts for password corresponding to the switched user. If su is used without any option, a switch to root user account is done. In this case, system prompts for root user’s password.

For example, when editing a system file, we usually need sudo or su to temporarily switch to user root. Does this example belong to capability-based security, or to protection rings?

We don't switch to user root, but, only our access/privilege to certain specifc actions are increased and run with root privileges. The process would still run under the same userspace,the only difference that the privilege has been granted that of root! Actually,all this accessibility things are mapped to /etc/sudoers file where access to each of the task like executing certain applications, modifying system settings, etc... are listed for each sudoers. Not all users are kept in the sudoers list, there might be several users debarred of this for system security!

So whenever we execute sudo OR su, there does involve a system call to kernel, i.e., setuid() system call is invoked to Linux kernel and then the uid of the user is set to 0(that of root) and hence,prompt # appears,the whole thing is getting done in the same user's userspace and user-mode and not in the root's userspace!!!

  • 2
    Both sudo and su can be used to run any command as any user, the main difference between them is that sudo alows for fine grain permissions for commands and does not force the user to know the password of the user they're impersonating to (it can be configured to, though). The requirement for the calling user password is just the default configuration, and can be turned off. – Didi Kohen Sep 11 '14 at 14:06