Skip to main content
SpringerLink
Log in

RootAsRole: Towards a Secure Alternative to sudo/su Commands for Home Users and SME Administrators

  • Conference paper
  • First Online:
ICT Systems Security and Privacy Protection (SEC 2021)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 625))

Abstract

The typical way to run an administrative task on Linux is to execute it in the context of a super user. This breaks the principle of least privilege on access control. Other solutions, such as SELinux and AppArmor, are available but complex to use. In this paper, a new Linux module, named RootAsRole, is proposed to allow users to fine-grained control the privileges they grant to Linux commands as capabilities. It adopts a role-based access control (RBAC) [14], in which administrators can define a set of roles and the capabilities that are assigned to them. Administrators can then define the rules controlling what roles users or groups can assign to themselves. Each time a Linux user wants to execute a program that necessitates one or more capabilities, (s)he should assign the role to him/herself that contains the needed capabilities, providing there is a rule that allows it. A pilot implementation on Linux systems is illustrated in detail.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 119.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 159.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 159.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The capability term here should not be confused with the capability term used in access control literature that refers to a token given by the kernel to a process to access an object (e.g. file descriptor).

References

  1. Hallyn, S.E., Morgan, A.G.: Linux capabilities: making them work. In: The Linux Symposium, Ottawa, ON, Canada (2008). https://www.kernel.org/doc/ols/2008/ols2008v1-pages-163-172.pdf

  2. Extended attributes: the good, the not so good, the bad (2014). https://www.lesbonscomptes.com/pages/extattrs.html. Accessed 28 Mar 2021

  3. Linux manual page:ld.so, ld-linux.so - dynamic linker/loader. http://man7.org/linux/man-pages/man8/ld.so.8.html. Accessed 28 Mar 2021

  4. Example code of Python http Server. https://docs.python.org/2/library/simplehttpserver.html. Accessed 28 Mar 2021

  5. Code source of RootAsRole module. https://github.com/SamerW/RootAsRole. Accessed 28 Mar 2021

  6. Kerrisk, M.: CAP\_SYS\_ADMIN: the new root (2012). https://lwn.net/Articles/486306/. Accessed 28 Mar 2021

  7. Kerrisk, M.: The Linux Programming interface, ISBN 159327291X, No Strarch Press, October 1 2010

    Google Scholar 

  8. Linux capabilities man page. http://man7.org/linux/man-pages/man7/capabilities.7.html. Accessed 28 Mar 2021

  9. Getting started with AppArmor. https://www.slideshare.net/pirafrank/getting-started-with-apparmor. Accessed 28 Mar 2021

  10. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29, 38–47 (1996). https://doi.org/10.1109/2.485845

    Article  Google Scholar 

  11. sudo vulnerability CVE-2019-14287. https://medium.com/@isharaabeythissa/cve-2019-14287-sudo-will-hit-your-root-4df17e6a089b. Accessed 28 Mar 2021

  12. Zhang, T., Shen, W., Lee, D., Jung, C., Azab, A.M., Wang, R.: Pex: a permission check analysis framework for Linux kernel. In: 2019, Proceedings of the 28th USENIX Conference on Security Symposium, pp. 1205–1220 (2019)

    Google Scholar 

  13. Wang, Q., Chen, D., Zhang, N., Qin, Z., Qin, Z.: LACS: a lightweight label-based access control scheme in IoT-based 5G caching context. IEEE Access 5, 4018–4027 (2017). https://doi.org/10.1109/ACCESS.2017.2678510

    Article  Google Scholar 

  14. Sohr, K., Drouineaud, M., Ahn, G., Gogolla, M.: Analyzing and managing role-based access control policies. IEEE Trans. Knowl. Data Eng. 20(7), 924–939 (2008). https://doi.org/10.1109/TKDE.2008.28

    Article  Google Scholar 

Download references

Acknowledgement

This work was partially supported by the European Union’s Horizon 2020 research and innovation program from the project CyberSec4Europe [grant agreement number 830929].

Author information

Authors and Affiliations

  1. Zayed University, Dubai, UAE

    Ahmad Samer Wazan

  2. Paul Sabatier University, Toulouse, France

    Ahmad Samer Wazan, Romain Laborde & Abdelmalek Benzekri

  3. Kent University, Canterbury, UK

    David W. Chadwick

  4. LeMans University, Le Mans, France

    Remi Venant

Authors
  1. Ahmad Samer Wazan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David W. Chadwick
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Remi Venant
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Romain Laborde
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Abdelmalek Benzekri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ahmad Samer Wazan .

Editor information

Editors and Affiliations

  1. University of Oslo, Oslo, Norway

    Audun Jøsang

  2. Nelson Mandela University, Gqeberha, South Africa

    Lynn Futcher

  3. University of Oslo, Oslo, Norway

    Janne Hagen

Rights and permissions

Reprints and permissions

Copyright information

© 2021 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wazan, A.S., Chadwick, D.W., Venant, R., Laborde, R., Benzekri, A. (2021). RootAsRole: Towards a Secure Alternative to sudo/su Commands for Home Users and SME Administrators. In: Jøsang, A., Futcher, L., Hagen, J. (eds) ICT Systems Security and Privacy Protection. SEC 2021. IFIP Advances in Information and Communication Technology, vol 625. Springer, Cham. https://doi.org/10.1007/978-3-030-78120-0_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-78120-0_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-78119-4

  • Online ISBN: 978-3-030-78120-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation