Abstract
The typical way to run an administrative task on Linux is to execute it in the context of a super user. This breaks the principle of least privilege on access control. Other solutions, such as SELinux and AppArmor, are available but complex to use. In this paper, a new Linux module, named RootAsRole, is proposed to allow users to fine-grained control the privileges they grant to Linux commands as capabilities. It adopts a role-based access control (RBAC) [14], in which administrators can define a set of roles and the capabilities that are assigned to them. Administrators can then define the rules controlling what roles users or groups can assign to themselves. Each time a Linux user wants to execute a program that necessitates one or more capabilities, (s)he should assign the role to him/herself that contains the needed capabilities, providing there is a rule that allows it. A pilot implementation on Linux systems is illustrated in detail.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The capability term here should not be confused with the capability term used in access control literature that refers to a token given by the kernel to a process to access an object (e.g. file descriptor).
References
Hallyn, S.E., Morgan, A.G.: Linux capabilities: making them work. In: The Linux Symposium, Ottawa, ON, Canada (2008). https://www.kernel.org/doc/ols/2008/ols2008v1-pages-163-172.pdf
Extended attributes: the good, the not so good, the bad (2014). https://www.lesbonscomptes.com/pages/extattrs.html. Accessed 28 Mar 2021
Linux manual page:ld.so, ld-linux.so - dynamic linker/loader. http://man7.org/linux/man-pages/man8/ld.so.8.html. Accessed 28 Mar 2021
Example code of Python http Server. https://docs.python.org/2/library/simplehttpserver.html. Accessed 28 Mar 2021
Code source of RootAsRole module. https://github.com/SamerW/RootAsRole. Accessed 28 Mar 2021
Kerrisk, M.: CAP\_SYS\_ADMIN: the new root (2012). https://lwn.net/Articles/486306/. Accessed 28 Mar 2021
Kerrisk, M.: The Linux Programming interface, ISBN 159327291X, No Strarch Press, October 1 2010
Linux capabilities man page. http://man7.org/linux/man-pages/man7/capabilities.7.html. Accessed 28 Mar 2021
Getting started with AppArmor. https://www.slideshare.net/pirafrank/getting-started-with-apparmor. Accessed 28 Mar 2021
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29, 38–47 (1996). https://doi.org/10.1109/2.485845
sudo vulnerability CVE-2019-14287. https://medium.com/@isharaabeythissa/cve-2019-14287-sudo-will-hit-your-root-4df17e6a089b. Accessed 28 Mar 2021
Zhang, T., Shen, W., Lee, D., Jung, C., Azab, A.M., Wang, R.: Pex: a permission check analysis framework for Linux kernel. In: 2019, Proceedings of the 28th USENIX Conference on Security Symposium, pp. 1205–1220 (2019)
Wang, Q., Chen, D., Zhang, N., Qin, Z., Qin, Z.: LACS: a lightweight label-based access control scheme in IoT-based 5G caching context. IEEE Access 5, 4018–4027 (2017). https://doi.org/10.1109/ACCESS.2017.2678510
Sohr, K., Drouineaud, M., Ahn, G., Gogolla, M.: Analyzing and managing role-based access control policies. IEEE Trans. Knowl. Data Eng. 20(7), 924–939 (2008). https://doi.org/10.1109/TKDE.2008.28
Acknowledgement
This work was partially supported by the European Union’s Horizon 2020 research and innovation program from the project CyberSec4Europe [grant agreement number 830929].
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Wazan, A.S., Chadwick, D.W., Venant, R., Laborde, R., Benzekri, A. (2021). RootAsRole: Towards a Secure Alternative to sudo/su Commands for Home Users and SME Administrators. In: Jøsang, A., Futcher, L., Hagen, J. (eds) ICT Systems Security and Privacy Protection. SEC 2021. IFIP Advances in Information and Communication Technology, vol 625. Springer, Cham. https://doi.org/10.1007/978-3-030-78120-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-78120-0_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78119-4
Online ISBN: 978-3-030-78120-0
eBook Packages: Computer ScienceComputer Science (R0)