Linux Capabilities: Principle of Least Privilege in Linux

In traditional UNIX systems, two categories of processes are distinguished: privileged processes (whose effective user ID is 0, i.e., the root user) and unprivileged processes (whose effective user ID is nonzero). Privileged processes bypass nearly all kernel permission checks, while unprivileged processes are subject to full permission checking. The main drawback of this approach is that programs which only need some privileges must be granted full root privileges in order to function. This limitation can be exploited not only by the programs themselves but also by an adversary who has compromised them. Linux solves this issue by splitting the privileges into distinct units, so-called capabilities. These capabilities may be assigned to processes, granting them only the necessary privileges and thereby implementing the principle of least privilege. The presentation will cover the main aspects of Linux capabilities and discuss how they relate to other security mechanisms like seccomp, AppArmor, and SELinux.

(Hauptseminar)