Hacker News new | ask | show | jobs
by theamk 412 days ago
This all sounds very reasonable as long as servers/services are involved. Linux has capabilities for this purpose, and systemd goes a long way towards the vision you describe - daemons which do not need root and instead get all capabilities from the supervisore process.

However, were were talking about "sudo" and this is purely interactive tool (I am sure some people run sudo non-interactively, but we can all agree it's a bad security practice). So, how does this nice capabilities vision mesh with the idea of "administrator user"?

From what I see, it's not much different. Instead of "sudo" which verifies user identity+permissions and then gives out "root" or some other user, we have some other hypothetical tool ("become-admin"?) which verifies user identity+permission and gives out powerful system-changing capabilities. Frankly, I don't see much difference - it's the same security model either way.

(A related argument I've seen is "you should not need sudo for common tasks like update software or configure network" - but on modern Linuxes, you don't need sudo for that already, this is done via dbus + polkit calls. No "proper microkernels" required, that is already deployed everywhere.)
1 comments
vacuity 412 days ago
I was also the one who wrote a sibling comment saying that capabilities aren't magical, but I do think they are excellent as far as any mechanism goes. Linux doesn't nearly go far enough in capability-based security, and merely adapting practices fails to make full use of capabilities. It's a bug if I have to verify my identity often for a routine task, whether it's through sudo or polkit. User friction is bad for security in many ways. Instead, configure the service once to have the capabilities you would give it each time anyways. Take it out of the user's hands and set it down on the desk (still in their control, just not taking up space). polkit is not quite there, whereas capabilities easily confine all programs (don't have to support polkit), are trivially flexible in behavior while being both secure and invisible by default, and provide control to the proper agents (users and involved programs). Capabilities turn access control from a hard problem plus various pitfalls to just a hard problem. Rather than an incrementally better solution, changing paradigms here is a good idea. Although Unix already most has capabilities through file descriptors, so in some sense its "everything is a file" philosophy can't go far enough.
link