linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* execve setting capabilities incorrectly ?
@ 2003-01-14 18:00 Don Cohen
  2003-01-14 18:18 ` Andrew Morgan
  0 siblings, 1 reply; 3+ messages in thread
From: Don Cohen @ 2003-01-14 18:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: morgan


Please cc me in replies.

quoting from message dated 1998/06 to this list from Andrew Morgan
 Subject: Fwd: Re: Capabilities 
 ...
 [root@godzilla progs]# ./execcap cap_net_bind_service=i sleep 1000 &
 [1] 600
 [root@godzilla progs]# cat /proc/600/status 
 ...
 CapInh: 0000000000000400
 CapPrm: 0000000000000400
 CapEff: 0000000000000400

My corresponding output ends up with
 CapInh: 0000000000000400
 CapPrm: 00000000fffffeff
 CapEff: 00000000fffffeff

I've tried in 2.4.18 and in 2.2.16, both give the same result so
I guess it's been this way for some time.

The caps seem to be set correctly by execcap but execve resets them. 
Is this intentional?  
If so, how is one now supposed to get the desired effects? 


What's really weird (can someone explain this?) is that things
seem to work better under strace:
 strace ./execcap = head <some file root has no permission to read>
=> permission denied
whereas without the strace it reads the file.


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: execve setting capabilities incorrectly ?
  2003-01-14 18:00 execve setting capabilities incorrectly ? Don Cohen
@ 2003-01-14 18:18 ` Andrew Morgan
  2003-01-14 18:47   ` Don Cohen
  0 siblings, 1 reply; 3+ messages in thread
From: Andrew Morgan @ 2003-01-14 18:18 UTC (permalink / raw)
  To: Don Cohen; +Cc: linux-kernel

execcap doesn't work.

Long story: Linux capabilities don't really work as POSIX intended them 
to work without filesystem support. I am not working on this these days, 
although there are some mostly complete patches on kernel.org for old 
kernels.

Because of the ambiguity of what setuid() does with the behavior I 
discussed in this old email, when combined with certain setuid-0 
programs, we had to make the kernel's default policy less like POSIX and 
more like the legacy superuser model.

You used to be able to make it work as it did in the examples below by 
raising the inheritable set and lowering the cap_bound set (which is 
another hack POSIX didn't specify).

In the absence of filesystem support for capabilities, various folk have 
come up with their own ways of leveraging the capabilities to implement 
some security models. I fear that completing the capability support as 
the POSIX draft defines them will break these other approaches.

I hope that helps clarify what you are seeing.

Cheers

Andrew [who isn't subscribed to the kernel mailing list.]

Don Cohen wrote:
> Please cc me in replies.
> 
> quoting from message dated 1998/06 to this list from Andrew Morgan
>  Subject: Fwd: Re: Capabilities 
>  ...
>  [root@godzilla progs]# ./execcap cap_net_bind_service=i sleep 1000 &
>  [1] 600
>  [root@godzilla progs]# cat /proc/600/status 
>  ...
>  CapInh: 0000000000000400
>  CapPrm: 0000000000000400
>  CapEff: 0000000000000400
> 
> My corresponding output ends up with
>  CapInh: 0000000000000400
>  CapPrm: 00000000fffffeff
>  CapEff: 00000000fffffeff
> 
> I've tried in 2.4.18 and in 2.2.16, both give the same result so
> I guess it's been this way for some time.
> 
> The caps seem to be set correctly by execcap but execve resets them. 
> Is this intentional?  
> If so, how is one now supposed to get the desired effects? 
> 
> 
> What's really weird (can someone explain this?) is that things
> seem to work better under strace:
>  strace ./execcap = head <some file root has no permission to read>
> => permission denied
> whereas without the strace it reads the file.
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: execve setting capabilities incorrectly ?
  2003-01-14 18:18 ` Andrew Morgan
@ 2003-01-14 18:47   ` Don Cohen
  0 siblings, 0 replies; 3+ messages in thread
From: Don Cohen @ 2003-01-14 18:47 UTC (permalink / raw)
  To: Andrew Morgan; +Cc: linux-kernel

Andrew Morgan writes:
 > execcap doesn't work...

Thanks.
Could I suggest appropriate updates to
http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt
(which caused me to waste a day or so).
I hope the people who can make such updates read this list.

I'd also appreciate pointers to other mechanisms for accomplishing the
same goals.  (And perhaps these belong in the above update too.)

Which still leaves the question of what strace has to do with it.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-01-14 18:37 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-01-14 18:00 execve setting capabilities incorrectly ? Don Cohen
2003-01-14 18:18 ` Andrew Morgan
2003-01-14 18:47   ` Don Cohen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).