On 26/01/2013 08:46, Mike Frysinger wrote:
> 
> at least, this is all my understanding of things.  i could be completely 
> wrong, so feel free to correct something if you notice it.

All looks good to me, but just because somebody is going to wonder this
I would add a few words:

While this is basically the same underlying idea of selinux and rbac, it
is much more limited in scope. In particular instead of telling each
program exactly what they can or cannot do, we're giving them a broad
spectrum of privileges (but much narrower than what a setuid root
program would have). This is both less rewarding in term of security,
and less headache-prone.

Indeed most of the capabilities currently allowed are pretty much "do
something almost like root" — so for instance `tcpdump` needs
CAP_NET_ADMIN that does... almost everything with the network, while
`ping` would just use CAP_NET_RAW and be able to send out the ICMP ECHO
packets just fine. A web server, or any other server using privileged
TCP/UDP ports (<1024) would need instead CAP_NET_BIND_SERVICE.

All these settings allow tools to run as users who generally don't have
said capabilities, and yet be able to execute higher-level features. As
Mike said, this is just to replace setuid (and if you got selinux, you
go one step further because you can for instance give
CAP_DAC_READ_SEARCH to a tool, but also verify that it doesn't go
randomly reading stuff out of an user's home.

There's also a different kind of capabilities, in theory, relating to
users instead and using PAM — but I never got to get it working :(

-- 
Diego Elio Pettenò — Flameeyes
flameeyes@flameeyes.eu — http://blog.flameeyes.eu/