Linux Permissions UID 0 vs Ring 0

Question

I am studying for a Computer Security exam, and I am struggling to understand the following sample question.

'Explain the difference between running in ring 0 on x86 and running as UID 0 in Linux. Give an example of something that each one enables, but the other does not.'

My current understanding is that ring 0 on x86 is the most privileged OS level and that kernel code is run in ring 0. UID 0 is the linux superuser that can essentially run anything. With my current understanding of these concepts, I don't understand how to answer this question.

Please Note, this is NOT a homework question and is NOT something I will be graded upon, it is study material only.

Answer 1

Your understanding is correct. “Ring 0” is the x86 term for the kernel mode of the processor. “Running in ring 0” means “kernel code”.

In terms of security, everything that can be done by a process (under any UID) can be done by the kernel. Some things are very inconvenient to do from kernel code, for example opening a file, but they are possible.

Conversely, under normal circumstances, if you can run code under UID 0, then you can run kernel code, by loading a kernel module. Thus there is no security barrier between UID 0 and kernel level under a typical configuration. However code running in a process is still bound by the limitations of the processor's user mode: every access to a peripheral (including disks, network, etc.) still has to go via a system call. It is possible to configure a machine to have a UID 0 that isn't all powerful, for example:

• Disable the loading of kernel modules.
• Use a security framework such as SELinux to take away privileges from a process: UID 0 does not necessarily trump those, for example it's possible to make a guest account with UID 0 but essentially no privileges with the right SELinux policy.
• UID 0 in a user namespace only has the permissions of the namespace creator.