system file ownership

Robert Connolly robert at
Mon Jun 4 07:39:40 PDT 2007

On Monday June 4 2007 03:29:21 am Jan Dvořák wrote:
> Robert Connolly wrote:
> > The libcap-1.10/doc/capability.notes file says it's more secure for root
> > to not own any files on the system. It suggests having a 'system' user,
> > who never logs in, owning everything that root would normally own. This
> > is true to an extent...
> Okay... Some random daemon running as root without root's fs caps gets
> cracked. There is /bin/su owned by root for sure, so he modifies it,
> makes it setuid again and then switches to some random uid and runs
> /bin/su that does what is required.
> Would that work? How do you defend against this, if it does?

Drop CAP_SETGID and CAP_SETUID too. It would work if /bin/su inherits 
capabilities, or lack of capabilities.

Root would be able to overwrite /bin/su, but wouldn't be able to use even a 
modified /bin/su to elevate it's capabilities.

There are holes in this though. If root has write access on /etc/shadow then 
the attacker can add a new user, replace root's password, start sshd, login 
as the new user, and su up to root with full caps. So, root can't 
own /etc/shadow... /bin/passwd would have to be suid-shadow. I'm not sure 
what to do with /usr/sbin/useradd... su to the shadow user to add users? or 
make useradd suid-shadow with only root, and shadow, having execute 
permission. Either way, a root user without setuid caps wouldn't be able to 
add new users, or change anyone's password.

There are probably more holes.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <>

More information about the hlfs-dev mailing list