From: Andrew Morgan <morgan@transmeta.com>
To: Don Cohen <don-linux@isis.cs3-inc.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: execve setting capabilities incorrectly ?
Date: Tue, 14 Jan 2003 10:18:41 -0800 [thread overview]
Message-ID: <3E245481.5050606@transmeta.com> (raw)
In-Reply-To: <200301141800.h0EI0WS13467@isis.cs3-inc.com>
execcap doesn't work.
Long story: Linux capabilities don't really work as POSIX intended them
to work without filesystem support. I am not working on this these days,
although there are some mostly complete patches on kernel.org for old
kernels.
Because of the ambiguity of what setuid() does with the behavior I
discussed in this old email, when combined with certain setuid-0
programs, we had to make the kernel's default policy less like POSIX and
more like the legacy superuser model.
You used to be able to make it work as it did in the examples below by
raising the inheritable set and lowering the cap_bound set (which is
another hack POSIX didn't specify).
In the absence of filesystem support for capabilities, various folk have
come up with their own ways of leveraging the capabilities to implement
some security models. I fear that completing the capability support as
the POSIX draft defines them will break these other approaches.
I hope that helps clarify what you are seeing.
Cheers
Andrew [who isn't subscribed to the kernel mailing list.]
Don Cohen wrote:
> Please cc me in replies.
>
> quoting from message dated 1998/06 to this list from Andrew Morgan
> Subject: Fwd: Re: Capabilities
> ...
> [root@godzilla progs]# ./execcap cap_net_bind_service=i sleep 1000 &
> [1] 600
> [root@godzilla progs]# cat /proc/600/status
> ...
> CapInh: 0000000000000400
> CapPrm: 0000000000000400
> CapEff: 0000000000000400
>
> My corresponding output ends up with
> CapInh: 0000000000000400
> CapPrm: 00000000fffffeff
> CapEff: 00000000fffffeff
>
> I've tried in 2.4.18 and in 2.2.16, both give the same result so
> I guess it's been this way for some time.
>
> The caps seem to be set correctly by execcap but execve resets them.
> Is this intentional?
> If so, how is one now supposed to get the desired effects?
>
>
> What's really weird (can someone explain this?) is that things
> seem to work better under strace:
> strace ./execcap = head <some file root has no permission to read>
> => permission denied
> whereas without the strace it reads the file.
>
next prev parent reply other threads:[~2003-01-14 18:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-14 18:00 execve setting capabilities incorrectly ? Don Cohen
2003-01-14 18:18 ` Andrew Morgan [this message]
2003-01-14 18:47 ` Don Cohen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E245481.5050606@transmeta.com \
--to=morgan@transmeta.com \
--cc=don-linux@isis.cs3-inc.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).