* capabilities carried over execve()
@ 2001-04-24 14:45 Eric Buddington
2001-04-26 20:10 ` Pavel Machek
0 siblings, 1 reply; 3+ messages in thread
From: Eric Buddington @ 2001-04-24 14:45 UTC (permalink / raw)
To: linux-kernel
I am attempting to write an init replacement that is capability-smart.
Though I'm pleased that prctl() lets me keep capabilities across a
setreuid(), maintaining caps over execve() seems impossible to do right.
I currently see a few options:
- use the CLOEXEC-pipe hack that execcap uses (parent notices
when pipe closes then rushes to set caps on child before
child notices they're gone). This looks like a race to me.
- tweak linux/fs/exec.c (prepare_binprm) to pretend that all
files have cap_inheritable and cap_effective fully set.
This seems a more elegant solution, but requires a kernel
patch.
- exec the child in a stopped state, mess with caps, then
send it SIGCONT. AFAIK, there is no way to do
execve_and_stop.
Is there a better solution available, or one in the works?
I think capabilites may be a key to achieving Pretty Good (tm) security
- but then again, so is running bind as non-root, and nobody even
bothers to do that...
-Eric
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: capabilities carried over execve()
2001-04-24 14:45 capabilities carried over execve() Eric Buddington
@ 2001-04-26 20:10 ` Pavel Machek
0 siblings, 0 replies; 3+ messages in thread
From: Pavel Machek @ 2001-04-26 20:10 UTC (permalink / raw)
To: ebuddington, linux-kernel
Hi!
> I am attempting to write an init replacement that is capability-smart.
> Though I'm pleased that prctl() lets me keep capabilities across a
> setreuid(), maintaining caps over execve() seems impossible to do right.
>
> I currently see a few options:
> - use the CLOEXEC-pipe hack that execcap uses (parent notices
> when pipe closes then rushes to set caps on child before
> child notices they're gone). This looks like a race to me.
> - tweak linux/fs/exec.c (prepare_binprm) to pretend that all
> files have cap_inheritable and cap_effective fully set.
> This seems a more elegant solution, but requires a kernel
> patch.
> - exec the child in a stopped state, mess with caps, then
> send it SIGCONT. AFAIK, there is no way to do
> execve_and_stop.
What about ptrace? It should be able to do this kind of stuff... but
it is going to be messy.
Pavel
--
I'm pavel@ucw.cz. "In my country we have almost anarchy and I don't care."
Panos Katsaloulis describing me w.r.t. patents at discuss@linmodems.org
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: capabilities carried over execve()
@ 2001-04-24 15:05 willy tarreau
0 siblings, 0 replies; 3+ messages in thread
From: willy tarreau @ 2001-04-24 15:05 UTC (permalink / raw)
To: eric; +Cc: linux-kernel
I personnaly use this simple patch which allows me
to keep caps over execve(). It allows me to give a
few more rights to some trusted users, such as
kill, insmod... without risking unlink, chown or
so. I couldn't find any other way to achieve this.
If needed, I can send you the complete prog which
sets the requested capabilities upon login,
eventually asking for a password and limited in
time of day.
Regards,
Willy
--- linux-2.2.18-wt11/fs/exec.c Fri Feb 16 23:11:52
2001
+++ linux-2.2.18-wt11+caps/fs/exec.c Thu Feb 22
20:45:33 2001
@@ -702,7 +702,10 @@
cap_clear(bprm->cap_inheritable);
cap_clear(bprm->cap_permitted);
cap_clear(bprm->cap_effective);
-
+/*** FIXME: just a test : keep permitted and
effective ******/
+bprm->cap_permitted =
cap_intersect(current->cap_inheritable,current->cap_permitted);
+bprm->cap_effective =
cap_intersect(current->cap_inheritable,current->cap_effective);
+/*** /FIXME ****/
/* To support inheritance of root-permissions
and suid-root
* executables under compatibility mode, we
raise all three
* capability sets for the file.
___________________________________________________________
Do You Yahoo!? -- Pour faire vos courses sur le Net,
Yahoo! Shopping : http://fr.shopping.yahoo.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2001-04-27 14:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-04-24 14:45 capabilities carried over execve() Eric Buddington
2001-04-26 20:10 ` Pavel Machek
2001-04-24 15:05 willy tarreau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).