The Meaning of Posix.1e

After Unix software had been plagued by security holes during the 1990ies, there was a discussion how to define and implement standardized security mechanisms. Two decades have passed since then. Open the Linux man page capabilities(7) and you'll see one result of the discussion.

System-related privileges on traditional Unix systems come in a all-or-nothing fashion. They are bound to uid 0, which is assigned to the login name root. Access to uid 0 allows unrestricted access to the system. Capabilities simply unbind privileges from uid 0. They name and categorize them. TrustedBSD refers to them as fine-grained privileges. With capabilities it becomes transparent who has which privilege. In effect, privileged programs like network services do not have to be started as root any longer.

There are command line tools to list, find, get and set capabilities. For example, the following edited output of pscap(8) displays some running programs and their capabilities.

ppid  pid   name        command           capabilities
1     439   root        haveged           sys_admin
1     1490  root        agetty            full
1     1511  ntp         ntpd              net_bind_service, sys_time +

The following output of filecap(8) lists executable files and the capabilities assigned to them upon program start.

file                 capabilities
/usr/bin/ping        net_raw
/usr/bin/ping6       net_raw
/usr/sbin/pinger     net_raw

Should an intruder obtain control over a capability-based program, e.g. a network service, he might obtain some privileges but not all. And if privileges have been dropped, none are leaked. The example makes it clear that Posix.1e capabilities are about system security, not application security.

The above is just a rough overview of capabilities. Andreas Grünbacher put in a lot of effort in bringing capabilities for Linux ahead and made the above possible. Hallyn and Morgan wrote a practical article on Linux Capabilities: making them work. I recommend this article to everybody interested in getting Posix.1e capabilities into programs.

The Standards Project

The challenge back then was to follow a standard in order to assure portability across Posix conformant systems. Such a candidate was Posix.1e. It was already abandoned and only available to Posix members. But it was better than nothing.

Why Posix.1e was abandoned as a standard is hard to reconstruct from todays point of view. The general concept has been and still is very convincing to me. The Linux implementation proves that it is relevant practically.

Courtesy to the IEEE and with the help of Casey Schaufler, the former technical editor of the standards, I obtained permission for limited public distribution in June 1999.

To leave no room for misunderstandings, the download page is separate from this private rantings.