* Is CAP_SYS_ADMIN checked by every program !?
@ 2004-12-29 4:47 Tetsuo Handa
2004-12-30 3:52 ` Walter Liu
` (3 more replies)
0 siblings, 4 replies; 10+ messages in thread
From: Tetsuo Handa @ 2004-12-29 4:47 UTC (permalink / raw)
To: linux-kernel
Hello.
I found a strange behavior with kernel 2.6.9 and later. ( I haven't tested for 2.6.8 and earlier. )
It seems to me that every program calls capable(CAP_SYS_ADMIN),
even for programs such as cat(1) sed(1) ls(1).
My environment is Fedora Core 3.
The following is the patch for checking.
----- Start of Patch -----
*** sched.h.org Sat Dec 25 06:33:59 2004
--- sched.h Wed Dec 29 13:00:53 2004
***************
*** 870,875 ****
--- 870,882 ----
#else
static inline int capable(int cap)
{
+ if (cap == CAP_SYS_ADMIN) {
+ static pid_t last_pid = 0;
+ if (current->pid != last_pid) {
+ printk("euid=%d uid=%d %s %s\n", current->euid, current->uid, cap_raised(current->cap_effective, CAP_SYS_ADMIN) ? "true" : "fa
lse", current->comm);
+ last_pid = current->pid;
+ }
+ }
if (cap_raised(current->cap_effective, cap)) {
current->flags |= PF_SUPERPRIV;
return 1;
----- End of Patch -----
Programs run as root always show "true", and run as non-root always show "false",
but it's will be OK.
I can't understand why every program checks for CAP_SYS_ADMIN .
With 2.4.28 and RedHat 9, no such behavior happens.
Is this normal behavior for 2.6 ?
I located .config at http://hp.vector.co.jp/authors/VA022513/tmp/config-2.6.10 .
(By the way, why not prepare ".config file keeper" like pgp.mit.edu ? I think it can save ML traffic. )
Regards.
-------
Tetsuo Handa
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: Is CAP_SYS_ADMIN checked by every program !?
2004-12-29 4:47 Is CAP_SYS_ADMIN checked by every program !? Tetsuo Handa
@ 2004-12-30 3:52 ` Walter Liu
2004-12-30 4:45 ` Bernd Eckenfels
` (2 subsequent siblings)
3 siblings, 0 replies; 10+ messages in thread
From: Walter Liu @ 2004-12-30 3:52 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: linux-kernel
Tetsuo Handa wrote:
> Hello.
>
>I found a strange behavior with kernel 2.6.9 and later. ( I haven't tested for 2.6.8 and earlier. )
>It seems to me that every program calls capable(CAP_SYS_ADMIN),
>even for programs such as cat(1) sed(1) ls(1).
>My environment is Fedora Core 3.
>
>The following is the patch for checking.
>
>----- Start of Patch -----
>*** sched.h.org Sat Dec 25 06:33:59 2004
>--- sched.h Wed Dec 29 13:00:53 2004
>***************
>*** 870,875 ****
>--- 870,882 ----
> #else
> static inline int capable(int cap)
> {
>+ if (cap == CAP_SYS_ADMIN) {
>+ static pid_t last_pid = 0;
>+ if (current->pid != last_pid) {
>+ printk("euid=%d uid=%d %s %s\n", current->euid, current->uid, cap_raised(current->cap_effective, CAP_SYS_ADMIN) ? "true" : "fa
>lse", current->comm);
>+ last_pid = current->pid;
>+ }
>+ }
> if (cap_raised(current->cap_effective, cap)) {
> current->flags |= PF_SUPERPRIV;
> return 1;
>----- End of Patch -----
>
>Programs run as root always show "true", and run as non-root always show "false",
>but it's will be OK.
>I can't understand why every program checks for CAP_SYS_ADMIN .
>With 2.4.28 and RedHat 9, no such behavior happens.
>
>Is this normal behavior for 2.6 ?
>
>
>
The POSIX capability mechanism is the OS privilege mechanism ,
like the privilege mechanism in VMS or NT .
I think that every process for any capability have to check them,
This is a must operation..
Regards
LWT
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: Is CAP_SYS_ADMIN checked by every program !?
2004-12-29 4:47 Is CAP_SYS_ADMIN checked by every program !? Tetsuo Handa
2004-12-30 3:52 ` Walter Liu
@ 2004-12-30 4:45 ` Bernd Eckenfels
2004-12-30 5:35 ` Kyle Moffett
2004-12-30 13:37 ` Tetsuo Handa
3 siblings, 0 replies; 10+ messages in thread
From: Bernd Eckenfels @ 2004-12-30 4:45 UTC (permalink / raw)
To: linux-kernel
In article <200412291347.JEH41956.OOtStPFFNMLJVGMYS@i-love.sakura.ne.jp> you wrote:
> even for programs such as cat(1) sed(1) ls(1).
You you tried strace, if it is actually the user mode which is doing that?
If yes, then it might be a libc issue. Perhaps hwcap or something line this.
libc for example disables some features if running suid. Maybe those checks
result in checking capabilities.
Greetings
Bernd
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Is CAP_SYS_ADMIN checked by every program !?
2004-12-29 4:47 Is CAP_SYS_ADMIN checked by every program !? Tetsuo Handa
2004-12-30 3:52 ` Walter Liu
2004-12-30 4:45 ` Bernd Eckenfels
@ 2004-12-30 5:35 ` Kyle Moffett
2004-12-30 5:46 ` Valdis.Kletnieks
2004-12-30 7:40 ` Tetsuo Handa
2004-12-30 13:37 ` Tetsuo Handa
3 siblings, 2 replies; 10+ messages in thread
From: Kyle Moffett @ 2004-12-30 5:35 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: linux-kernel
On Dec 28, 2004, at 23:47, Tetsuo Handa wrote:
> It seems to me that every program calls capable(CAP_SYS_ADMIN),
Umm, the program has nothing to do with this. Programs themselves have
no
access to the kernel function "capable". Probably something in the
kernel, perhaps
triggered by libc or maybe just suid checks, is checking for
CAP_SYS_ADMIN. It's
harmless and irrelevant, why do you care?
> + if (cap == CAP_SYS_ADMIN) {
> + static pid_t last_pid = 0;
> + if (current->pid != last_pid) {
> + printk("euid=%d uid=%d %s %s\n",
> current->euid, current->uid, cap_raised(current->cap_effective,
> CAP_SYS_ADMIN) ? "true" : "fa
> lse", current->comm);
> + last_pid = current->pid;
> + }
> + }
Yes, whenever anything on the computer, including the kernel, checks if
a program
has a capability bit set, it will print out whether or not it does in
the dmesg. Why
does that matter?
> I can't understand why every program checks for CAP_SYS_ADMIN .
Programs aren't, the kernel is, for whatever reason.
Cheers,
Kyle Moffett
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a18 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$
L++++(+++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+
PGP+++ t+(+++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$ r
!y?(-)
------END GEEK CODE BLOCK------
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: Is CAP_SYS_ADMIN checked by every program !?
2004-12-30 5:35 ` Kyle Moffett
@ 2004-12-30 5:46 ` Valdis.Kletnieks
2004-12-30 6:13 ` Bernd Eckenfels
2004-12-30 7:40 ` Tetsuo Handa
1 sibling, 1 reply; 10+ messages in thread
From: Valdis.Kletnieks @ 2004-12-30 5:46 UTC (permalink / raw)
To: Kyle Moffett; +Cc: Tetsuo Handa, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 412 bytes --]
On Thu, 30 Dec 2004 00:35:06 EST, Kyle Moffett said:
> Yes, whenever anything on the computer, including the kernel, checks if
> a program
> has a capability bit set, it will print out whether or not it does in
> the dmesg. Why
> does that matter?
If you actually log your kernel messages it can matter, if every single
process suddenly starts dumping a line in your syslogs, especially on a
busy system...
[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Is CAP_SYS_ADMIN checked by every program !?
2004-12-30 5:46 ` Valdis.Kletnieks
@ 2004-12-30 6:13 ` Bernd Eckenfels
0 siblings, 0 replies; 10+ messages in thread
From: Bernd Eckenfels @ 2004-12-30 6:13 UTC (permalink / raw)
To: linux-kernel
In article <200412300546.iBU5kVie023979@turing-police.cc.vt.edu> you wrote:
> If you actually log your kernel messages it can matter, if every single
> process suddenly starts dumping a line in your syslogs, especially on a
> busy system...
It does not, the patch is not part of the linux kernel. There is nothing
which is tracing permission checks.
Of course this might become interesting, if you want to do full audit log,
however the current functionality in the kernel infrastructure is not very
well suited for that, since you would habe to do stack analysis for
meaningful traces (like "who checked access permission, why")
Gruss
Bernd
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Is CAP_SYS_ADMIN checked by every program !?
2004-12-30 5:35 ` Kyle Moffett
2004-12-30 5:46 ` Valdis.Kletnieks
@ 2004-12-30 7:40 ` Tetsuo Handa
2004-12-30 8:24 ` Bernd Eckenfels
2005-01-03 13:52 ` Stephen Smalley
1 sibling, 2 replies; 10+ messages in thread
From: Tetsuo Handa @ 2004-12-30 7:40 UTC (permalink / raw)
To: mrmacman_g4, linux-kernel
Hello,
In message <9033584D-5A24-11D9-989E-000393ACC76E@mac.com>
"Re: Is CAP_SYS_ADMIN checked by every program !?"
"Kyle Moffett <mrmacman_g4@mac.com>" wrote:
> On Dec 28, 2004, at 23:47, Tetsuo Handa wrote:
> > It seems to me that every program calls capable(CAP_SYS_ADMIN),
>
> Umm, the program has nothing to do with this. Programs themselves have
> no
> access to the kernel function "capable". Probably something in the
> kernel, perhaps
> triggered by libc or maybe just suid checks, is checking for
> CAP_SYS_ADMIN. It's
> harmless and irrelevant, why do you care?
I'm developing a kernel patch that provides simple and handy
MAC(mandatory access control) functionality, much easier than SELinux.
And now I'm porting the patch from 2.4 to 2.6,
though the patch can't support LSM, for it refers 'struct vfsmount'.
At first, I doubted that some kernel function (do_execve(), memory management
functions, or any kernel functions that are always called by every process) is
doing this CAP_SYS_ADMIN checking. But may be this CAP_SYS_ADMIN checking is
caused by the Fedora Core 3's libc, not by the kernel.
I don't have 2.6 kernel environment other than Fedora Core 3.
But anyway, I have to give up checking for CAP_SYS_ADMIN .
Thank you.
--
Tetsuo Handa
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Is CAP_SYS_ADMIN checked by every program !?
2004-12-30 7:40 ` Tetsuo Handa
@ 2004-12-30 8:24 ` Bernd Eckenfels
2005-01-03 13:52 ` Stephen Smalley
1 sibling, 0 replies; 10+ messages in thread
From: Bernd Eckenfels @ 2004-12-30 8:24 UTC (permalink / raw)
To: linux-kernel
In article <200412301640.FCB13564.FtFPMSMGJtSOLVOYN@i-love.sakura.ne.jp> you wrote:
> But anyway, I have to give up checking for CAP_SYS_ADMIN .
You can add dump_stack(void) from kernel.h to you patch, since there are not
many sources for SYS_ADMIN capabilities checks in the kernel. You will
quickly find the syscall in question.
Greetings
Bernd
y
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Is CAP_SYS_ADMIN checked by every program !?
2004-12-30 7:40 ` Tetsuo Handa
2004-12-30 8:24 ` Bernd Eckenfels
@ 2005-01-03 13:52 ` Stephen Smalley
1 sibling, 0 replies; 10+ messages in thread
From: Stephen Smalley @ 2005-01-03 13:52 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: lkml, Chris Wright
On Thu, 2004-12-30 at 02:40, Tetsuo Handa wrote:
> I'm developing a kernel patch that provides simple and handy
> MAC(mandatory access control) functionality, much easier than SELinux.
> And now I'm porting the patch from 2.4 to 2.6,
> though the patch can't support LSM, for it refers 'struct vfsmount'.
>
> At first, I doubted that some kernel function (do_execve(), memory management
> functions, or any kernel functions that are always called by every process) is
> doing this CAP_SYS_ADMIN checking. But may be this CAP_SYS_ADMIN checking is
> caused by the Fedora Core 3's libc, not by the kernel.
> I don't have 2.6 kernel environment other than Fedora Core 3.
>
> But anyway, I have to give up checking for CAP_SYS_ADMIN .
Just override the vm_enough_memory security hook with your own function,
as we do in SELinux, to avoid auditing the CAP_SYS_ADMIN check there.
Note that this issue has also come up again on the linux-security-module
mailing list recently, and might be addressed through a change to the
cap_vm_enough_memory hook function.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Is CAP_SYS_ADMIN checked by every program !?
2004-12-29 4:47 Is CAP_SYS_ADMIN checked by every program !? Tetsuo Handa
` (2 preceding siblings ...)
2004-12-30 5:35 ` Kyle Moffett
@ 2004-12-30 13:37 ` Tetsuo Handa
3 siblings, 0 replies; 10+ messages in thread
From: Tetsuo Handa @ 2004-12-30 13:37 UTC (permalink / raw)
To: linux-kernel
Hello,
Bernd Eckenfels wrote:
> You can add dump_stack(void) from kernel.h to you patch, since there are not
> many sources for SYS_ADMIN capabilities checks in the kernel. You will
> quickly find the syscall in question.
Oh, this is exactly what I need.
And the following is the results of these tow lines.
printk("\n[%s]\n", current->comm);
dump_stack();
[ls]
[<c01e1852>] cap_vm_enough_memory+0x82/0x1f0
[<c0156dcd>] setup_arg_pages+0x9d/0x230
[<c0174373>] load_elf_binary+0x473/0xca0
[<c01334e7>] __alloc_pages+0xa7/0x360
[<c0156bdd>] copy_strings+0x1dd/0x200
[<c0157b00>] search_binary_handler+0x50/0x170
[<c0157d9e>] do_execve+0x17e/0x210
[<c01010bc>] sys_execve+0x3c/0x80
[<c010246d>] sysenter_past_esp+0x52/0x75
[cat]
[<c01e1852>] cap_vm_enough_memory+0x82/0x1f0
[<c0156dcd>] setup_arg_pages+0x9d/0x230
[<c0174373>] load_elf_binary+0x473/0xca0
[<c01334e7>] __alloc_pages+0xa7/0x360
[<c0156bdd>] copy_strings+0x1dd/0x200
[<c0157b00>] search_binary_handler+0x50/0x170
[<c0157d9e>] do_execve+0x17e/0x210
[<c01010bc>] sys_execve+0x3c/0x80
[<c010246d>] sysenter_past_esp+0x52/0x75
[tcsh]
[<c01e1852>] cap_vm_enough_memory+0x82/0x1f0
[<c0112c1e>] copy_mm+0x17e/0x360
[<c0113686>] copy_process+0x406/0x9c0
[<c0113d45>] do_fork+0x75/0x1ad
[<c01e753e>] copy_to_user+0x3e/0x50
[<c011f85e>] sys_rt_sigprocmask+0xae/0x100
[<c010103c>] sys_clone+0x3c/0x40
[<c010246d>] sysenter_past_esp+0x52/0x75
[sed]
[<c01e1852>] cap_vm_enough_memory+0x82/0x1f0
[<c0156dcd>] setup_arg_pages+0x9d/0x230
[<c0174373>] load_elf_binary+0x473/0xca0
[<c01334e7>] __alloc_pages+0xa7/0x360
[<c0156bdd>] copy_strings+0x1dd/0x200
[<c0157b00>] search_binary_handler+0x50/0x170
[<c0157d9e>] do_execve+0x17e/0x210
[<c01010bc>] sys_execve+0x3c/0x80
[<c010246d>] sysenter_past_esp+0x52/0x75
[klogd]
[<c01e179c>] cap_syslog+0x4c/0x80
[<c011445d>] do_syslog+0x2d/0x380
[<c0127640>] autoremove_wake_function+0x0/0x60
[<c011cb84>] update_process_times+0x44/0x50
[<c0127640>] autoremove_wake_function+0x0/0x60
[<c014cda6>] vfs_read+0x116/0x160
[<c014d0b1>] sys_read+0x51/0x80
[<c010246d>] sysenter_past_esp+0x52/0x75
The function which calls capable(CAP_SYS_ADMIN) is
cap_vm_enough_memory() defined in security/commoncap.c ,
and this function is called whenever sys_execve() is called.
Therefore, it seemed to me that every program calls capable(CAP_SYS_ADMIN).
Thank you very much.
--
Tetsuo Handa
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2005-01-03 13:58 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-12-29 4:47 Is CAP_SYS_ADMIN checked by every program !? Tetsuo Handa
2004-12-30 3:52 ` Walter Liu
2004-12-30 4:45 ` Bernd Eckenfels
2004-12-30 5:35 ` Kyle Moffett
2004-12-30 5:46 ` Valdis.Kletnieks
2004-12-30 6:13 ` Bernd Eckenfels
2004-12-30 7:40 ` Tetsuo Handa
2004-12-30 8:24 ` Bernd Eckenfels
2005-01-03 13:52 ` Stephen Smalley
2004-12-30 13:37 ` Tetsuo Handa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).