* jnf (jnf@innocence-lost.us) wrote:
> I have been playing a little here and there with linux capabilities, and
> seem to be hitting a few snags so I was hoping to obtain some input on
> their current status. The kernel on the box in question is 2.6.10, with
> the CAP_INIT_EFF_SET macro modified to allow init to have CAP_SETPCAP.

This is not exactly safe.  It was removed on purpose.  See this paper:
http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf

> I am mostly trying to accomplish this so that I can run syslog as a
> non-root user and as I understand it by digging through the source, one
> should be able to accomplish this with the CAP_SYS_ADMIN capability-
> however this does not appear to be true ?

BTW, CAP_SYS_ADMIN is a lot of privileges, so even this would not be as
secure as you might hope.

> in kernel/printk.c I see
> 
> error = security_syslog(type)
> if (error)
>         return error ;
> 
> which is defined in something like include/linux/security.h as a pointer
> to cap_syslog(), which in turn is defined in security/commoncap.c where I
> see:
> 
> if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
>          return -EPERM
> return 0;
> 
> 
> Type 3 is:
> *      3 -- Read up to the last 4k of messages in the ring buffer.

3 doesn't require any permissions.  It's like doing 'dmesg.'

> So when I give the process CAP_SYS_ADMIN I still cannot seem to read from
> /proc/kmsg, I also tried giving it CAP_DAC_OVERRIDE just to test to see if
> DAC's were the problem but that didn't seem to help any.

Since /proc/kmsg is 0400 you need CAP_DAC_READ_SEARCH (don't necessarily
need full override).  Otherwise, you are right, you do need CAP_SYS_ADMIN.
Or just use syslog(2) directly, and you'll avoid the DAC requirement.

> So with that said, anyone have any idea's as to what I need to do and any
> details on the current state of the capabilities would be helpful.

The best way is to drop the caps from within the syslogd.  Otherwise
you will gain/lose all caps on execve() due to the way caps actually
effectively follow uids.  Here, I threw together an example of some
other bits of code I have laying around (run it as root).

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net