For unimportant reasons, on my Ubuntu 24.04 installation, I went looking for things that set file capabilities in /usr/bin and /usr/sbin. There were three:
- ping: cap_net_raw=ep
- mtr-packet: cap_net_raw=ep
- kwin_wayland: cap_sys_resource=ep
The =ep
notation means that only the listed capabilities are set to “effective” and “permitted”, but not “inheritable.” Processes can and do receive the capability, but cannot pass it to child processes.
ping
and mtr-packet
are “as expected.” They want to send unusual network packets, so they need that right. (This is the sort of thing I would also expect to see on nmap
, if it were installed.)
kwin_wayland
was a bit more surprising to see. Why does it want that? Through reading capabilities(7) and running strings /usr/bin/kwin_xwayland
, my best guess is that kwin needs to raise its RLIMIT_NOFILE
(max number of open files.)
There’s a separate kwin_wayland_wrapper
file. A quick check showed that it was not a shell script (a common form of wrapper), but an actual executable. Could it have had the capability, set the limits, and launched the main process? For that matter, could this whole startup sequence have been structured through systemd, so that none of kwin’s components needed elevated capabilities?
The latter question is easily answered: no. This clearly isn’t a system service, and if it were run from the user instance, that never had any elevated privileges. (The goal, as I understand it, is that a systemd user-session bug doesn’t permit privilege escalation, and “not having those privileges” is the surest way to avoid malicious use of them.)
If kwin actually adjusts the limit dynamically, in response to the actual number of clients seen, then the former answer would also be “no.” To exercise the capability at any time, kwin itself must retain it.
I haven’t read the code to confirm any of this. Really, it seems like this situation is exactly what capabilities are for; to allow limited actions like raising resource limits, without giving away broad access to the entire system. Even if I were to engineer a less-privileged alternative, it doesn’t seem like it will measurably improve the “security,” especially not for cap_sys_resource. It was just a fun little thought experiment.
No comments:
Post a Comment