Re: Frustrated with capabilities..

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Serge E. Hallyn

Subject: Re: Frustrated with capabilities..

Date: Friday, August 29, 2008 - 9:58 am

Quoting Pavel Machek (pavel@suse.cz):
quoted text> On Wed 2008-08-27 12:31:10, Markku Savela wrote:
> > I just want to run an exectable with limited capabilities and assumed
> > the following approach would work fine:
> > 
> >  1) fork process
> >  2) in child
> > 
> >     2.1 set current capabilities (eip) using cap_set_proc
> >     2.2 execve the executable.
> > 
> > But it frigging does not work! Just before the execve, the result of
> > cap_to_text is
> > 
> >     = cap_net_bind_service+eip
> > 
> > but, in the execve executable, the result is suddenly
> > 
> >     = cap_net_bind_service+i
> > 
> > Why does the execve clear the effective and permitted capabities,
> > against my clear instructions? (I also have the prctl KEEP_CAPS set,

KEEP_CAPS prevents capability set clearing at setuid, not at exec.

quoted text> > though in this case it should be irrelevant).
> > 
> > - The kernel is from ubuntu distro, 2.6.24.
> > 
> > - the executable *does* *not* have any setuid/setgid bits
> > 
> > - the upcoming file capabities will not be any help, because I will
> >   need to start the same executable with different capabilities
> >   depending on context.

They will help.  The context is pI.  When a file is executed, the task's
new permitted set is calculated as:

	pP' = (fI&pI) | (fP & X)

So you can give /bin/foo the file capabilities:
	fI=cap1,cap2,cap3
Then task 1 runs with pI=cap1, so when it executes /bin/foo it will get
	pP' = cap1
Task 2 runs with pI=cap2,cap3,cap4 so when it executes /bin/foo it will
get
	pP' = cap2,cap3

quoted text> Yes, you need upcoming filesystem capabilities.  Binary may not
> inherit capabilities unless filesystem flags permit that.
> 
> -- 
> (english) http://www.livejournal.com/~pavelmachek
> (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Frustrated with capabilities.., Markku Savela, (Wed Aug 27, 2:31 am)

Re: Frustrated with capabilities.., Pavel Machek, (Thu Aug 28, 7:18 am)

Re: Frustrated with capabilities.., Markku Savela, (Thu Aug 28, 7:45 am)

Re: Frustrated with capabilities.., Theodore Tso, (Thu Aug 28, 10:48 am)

Re: Frustrated with capabilities.., David P. Quigley, (Thu Aug 28, 2:03 pm)

Re: Frustrated with capabilities.., Casey Schaufler, (Thu Aug 28, 9:47 pm)

Re: Frustrated with capabilities.., Markku Savela, (Fri Aug 29, 3:18 am)

Re: Frustrated with capabilities.., James Morris, (Fri Aug 29, 3:47 am)

Re: Frustrated with capabilities.., Theodore Tso, (Fri Aug 29, 7:07 am)

Re: Frustrated with capabilities.., David P. Quigley, (Fri Aug 29, 7:20 am)

Re: Frustrated with capabilities.., Serge E. Hallyn, (Fri Aug 29, 9:58 am)

Re: Frustrated with capabilities.., Serge E. Hallyn, (Fri Aug 29, 10:11 am)

Navigation

Popular discussions


linux-kernel:
Greg Kroah-Hartman	[PATCH 041/196] kobject: add kobject_init_and_add function
Lukas Hejtmanek	Re: Another libata error related to OCZ SSD
Greg Kroah-Hartman	[PATCH 023/196] MCP_UCB1200: Convert from class_device to device
Florian Fainelli	Re: System clock runs too fast after 2.6.27 -> 2.6.28.1 upgrade
Christoph Lameter	[patch 1/4] mmu_notifier: Core code
git:
Johannes Schindelin	Re: [PATCH 1/2] Add strbuf_initf()
John Bito	[EGIT] Push to GitHub caused corruption
Jakub Narebski	Re: [PATCH 0/2] gitweb: patch view
Junio C Hamano	Re: [PATCH] When a remote is added but not fetched, tell the user.
Andy Parkins	Re: [RFC] Submodules in GIT
git-commits-head:
Linux Kernel Mailing List	ahci: Workaround HW bug for SB600/700 SATA controller PMP support
Linux Kernel Mailing List	V4L/DVB (11086): au0828: rename macro for currently non-function VBI support
Linux Kernel Mailing List	ceph: client types
Linux Kernel Mailing List	ceph: on-wire types
Linux Kernel Mailing List	crypto: chainiv - Use kcrypto_wq instead of keventd_wq
linux-netdev:
Andrew Morton	Re: [Bugme-new] [Bug 14969] New: b44: WOL does not work in suspended state
Giuseppe CAVALLARO	Re: [PATCH 03/13] stmmac: add the new Header file for stmmac platform data
Taku Izumi	[PATCH 3/3] ixgbe: add registers etc. printout code just before resetting adapters
Eric Dumazet	rps: some comments
Thomas Gleixner	Re: [RFC PATCH 02/12] On Tue, 23 Sep 2008, David Miller wrote:
openbsd-misc:
Stephan Andreas	problems with login after xlock in OpenBSD release 4.7
pmc	Make A Change. Alcoholism and Drug Addiction Treatment
ropers	Re: what exactly is enc0?
Fuad NAHDI	Re: What does your environment look like?
Matthew Szudzik	Typo on OpenBSD 4.4 CD Set

Colocation donated by:

Syndicate