Decap: Deprivileging Programs by Reducing Their Capabilities
Md Mehedi Hasan, Seyedhamed Ghavamnia, Michalis Polychronakis
Abstract
Linux enables non-root users to perform certain privileged operations through the use of the setuid (“set user ID”) mechanism. This represents a glaring violation of the principle of least privilege, as setuid programs run with full superuser privileges—with disastrous outcomes when vulnerabilities are found in them. Linux capabilities aim to improve this situation by splitting superuser privileges into distinct units that can be assigned individually. Despite the clear benefits of capabilities in reducing the risk of privilege escalation, their actual use is scarce, and setuid programs are still prevalent in modern Linux distributions. The lack of a systematic way for developers to identify the capabilities needed by a given program is a contributing factor that hinders their applicability.