linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: jnf <jnf@innocence-lost.us>
To: linux-kernel@vger.kernel.org
Subject: linux capabilities ?
Date: Thu, 20 Jan 2005 11:02:26 -0700 (MST)	[thread overview]
Message-ID: <Pine.LNX.4.61.0501201053070.24484@fhozvffvba.vaabprapr-ybfg.arg> (raw)

Hi.

I have been playing a little here and there with linux capabilities, and
seem to be hitting a few snags so I was hoping to obtain some input on
their current status. The kernel on the box in question is 2.6.10, with
the CAP_INIT_EFF_SET macro modified to allow init to have CAP_SETPCAP.

I am mostly trying to accomplish this so that I can run syslog as a
non-root user and as I understand it by digging through the source, one
should be able to accomplish this with the CAP_SYS_ADMIN capability-
however this does not appear to be true ?

in kernel/printk.c I see

error = security_syslog(type)
if (error)
        return error ;

which is defined in something like include/linux/security.h as a pointer
to cap_syslog(), which in turn is defined in security/commoncap.c where I
see:

if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
         return -EPERM
return 0;


Type 3 is:
*      3 -- Read up to the last 4k of messages in the ring buffer.

So when I give the process CAP_SYS_ADMIN I still cannot seem to read from
/proc/kmsg, I also tried giving it CAP_DAC_OVERRIDE just to test to see if
DAC's were the problem but that didn't seem to help any.

So with that said, anyone have any idea's as to what I need to do and any
details on the current state of the capabilities would be helpful.

Thanks,

jnf



             reply	other threads:[~2005-01-20 18:04 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-20 18:02 jnf [this message]
2005-01-20 21:49 ` linux capabilities ? Chris Wright
2005-01-20 22:54   ` jnf
2005-01-21  0:23     ` Chris Wright
2005-01-21 23:19     ` Olaf Dietsche

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.61.0501201053070.24484@fhozvffvba.vaabprapr-ybfg.arg \
    --to=jnf@innocence-lost.us \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).