* [cifs-utils PATCH] cifs.upcall: trim even more capabilities
@ 2017-02-16 14:59 Jeff Layton
[not found] ` <20170216145913.15848-1-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Jeff Layton @ 2017-02-16 14:59 UTC (permalink / raw)
To: linux-cifs-u79uwXL29TY76Z2rM5mHXA,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ
Cc: simo-H+wXaHxf7aLQT0dZR+AlfA
We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and
only when we are going to probe the environ file.
Also, fix the non-libcap-ng trim_capabilities prototype.
Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
---
cifs.upcall.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 6d9c427b7032..dae58b919408 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -70,22 +70,21 @@ typedef enum _sectype {
#ifdef HAVE_LIBCAP_NG
static int
-trim_capabilities(bool need_ptrace)
+trim_capabilities(bool need_environ)
{
capng_clear(CAPNG_SELECT_BOTH);
- /*
- * Need PTRACE and DAC_OVERRIDE for environment scraping, SETGID to
- * change gid and grouplist, and SETUID to change uid.
- */
+ /* SETUID and SETGID to change uid, gid, and grouplist */
if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
- CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE, -1)) {
+ CAP_SETUID, CAP_SETGID, -1)) {
syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
return 1;
}
- if (need_ptrace &&
- capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_PTRACE)) {
+ /* Need PTRACE and DAC_OVERRIDE for environment scraping */
+ if (need_environ &&
+ capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
+ CAP_SYS_PTRACE, CAP_DAC_READ_SEARCH, -1)) {
syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
return 1;
}
@@ -109,7 +108,7 @@ drop_all_capabilities(void)
}
#else /* HAVE_LIBCAP_NG */
static int
-trim_capabilities(void)
+trim_capabilities(bool unused)
{
return 0;
}
--
2.9.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [cifs-utils PATCH] cifs.upcall: trim even more capabilities
[not found] ` <20170216145913.15848-1-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
@ 2017-02-16 15:07 ` Simo Sorce
2017-02-16 17:28 ` Pavel Shilovsky
1 sibling, 0 replies; 4+ messages in thread
From: Simo Sorce @ 2017-02-16 15:07 UTC (permalink / raw)
To: Jeff Layton
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ
Reviewed-by: Simo Sorce <simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On Thu, 2017-02-16 at 09:59 -0500, Jeff Layton wrote:
> We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and
> only when we are going to probe the environ file.
>
> Also, fix the non-libcap-ng trim_capabilities prototype.
>
> Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
> ---
> cifs.upcall.c | 17 ++++++++---------
> 1 file changed, 8 insertions(+), 9 deletions(-)
>
> diff --git a/cifs.upcall.c b/cifs.upcall.c
> index 6d9c427b7032..dae58b919408 100644
> --- a/cifs.upcall.c
> +++ b/cifs.upcall.c
> @@ -70,22 +70,21 @@ typedef enum _sectype {
>
> #ifdef HAVE_LIBCAP_NG
> static int
> -trim_capabilities(bool need_ptrace)
> +trim_capabilities(bool need_environ)
> {
> capng_clear(CAPNG_SELECT_BOTH);
>
> - /*
> - * Need PTRACE and DAC_OVERRIDE for environment scraping, SETGID to
> - * change gid and grouplist, and SETUID to change uid.
> - */
> + /* SETUID and SETGID to change uid, gid, and grouplist */
> if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
> - CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE, -1)) {
> + CAP_SETUID, CAP_SETGID, -1)) {
> syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
> return 1;
> }
>
> - if (need_ptrace &&
> - capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_PTRACE)) {
> + /* Need PTRACE and DAC_OVERRIDE for environment scraping */
> + if (need_environ &&
> + capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
> + CAP_SYS_PTRACE, CAP_DAC_READ_SEARCH, -1)) {
> syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
> return 1;
> }
> @@ -109,7 +108,7 @@ drop_all_capabilities(void)
> }
> #else /* HAVE_LIBCAP_NG */
> static int
> -trim_capabilities(void)
> +trim_capabilities(bool unused)
> {
> return 0;
> }
--
Simo Sorce * Red Hat, Inc * New York
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [cifs-utils PATCH] cifs.upcall: trim even more capabilities
[not found] ` <20170216145913.15848-1-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2017-02-16 15:07 ` Simo Sorce
@ 2017-02-16 17:28 ` Pavel Shilovsky
[not found] ` <CAKywueQiDRKZPW3ev7OBmXea=h7W1bc_5rtf9Ds7NChVm6=gbg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
1 sibling, 1 reply; 4+ messages in thread
From: Pavel Shilovsky @ 2017-02-16 17:28 UTC (permalink / raw)
To: Jeff Layton; +Cc: linux-cifs, samba-technical, simo-H+wXaHxf7aLQT0dZR+AlfA
2017-02-16 6:59 GMT-08:00 Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>:
> We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and
> only when we are going to probe the environ file.
>
> Also, fix the non-libcap-ng trim_capabilities prototype.
>
> Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
> ---
> cifs.upcall.c | 17 ++++++++---------
> 1 file changed, 8 insertions(+), 9 deletions(-)
>
> diff --git a/cifs.upcall.c b/cifs.upcall.c
> index 6d9c427b7032..dae58b919408 100644
> --- a/cifs.upcall.c
> +++ b/cifs.upcall.c
> @@ -70,22 +70,21 @@ typedef enum _sectype {
>
> #ifdef HAVE_LIBCAP_NG
> static int
> -trim_capabilities(bool need_ptrace)
> +trim_capabilities(bool need_environ)
> {
> capng_clear(CAPNG_SELECT_BOTH);
>
> - /*
> - * Need PTRACE and DAC_OVERRIDE for environment scraping, SETGID to
> - * change gid and grouplist, and SETUID to change uid.
> - */
> + /* SETUID and SETGID to change uid, gid, and grouplist */
> if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
> - CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE, -1)) {
> + CAP_SETUID, CAP_SETGID, -1)) {
> syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
> return 1;
> }
>
> - if (need_ptrace &&
> - capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_PTRACE)) {
> + /* Need PTRACE and DAC_OVERRIDE for environment scraping */
It seems that the comment above doesn't reflect the proposed change.
Should it be DAC_READ_SEARCH instead?
> + if (need_environ &&
> + capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
> + CAP_SYS_PTRACE, CAP_DAC_READ_SEARCH, -1)) {
> syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
> return 1;
> }
> @@ -109,7 +108,7 @@ drop_all_capabilities(void)
> }
> #else /* HAVE_LIBCAP_NG */
> static int
> -trim_capabilities(void)
> +trim_capabilities(bool unused)
> {
> return 0;
> }
> --
> 2.9.3
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Best regards,
Pavel Shilovsky
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [cifs-utils PATCH] cifs.upcall: trim even more capabilities
[not found] ` <CAKywueQiDRKZPW3ev7OBmXea=h7W1bc_5rtf9Ds7NChVm6=gbg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2017-02-16 17:44 ` Jeff Layton
0 siblings, 0 replies; 4+ messages in thread
From: Jeff Layton @ 2017-02-16 17:44 UTC (permalink / raw)
To: Pavel Shilovsky; +Cc: linux-cifs, samba-technical, simo-H+wXaHxf7aLQT0dZR+AlfA
On Thu, 2017-02-16 at 09:28 -0800, Pavel Shilovsky wrote:
> 2017-02-16 6:59 GMT-08:00 Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>:
> > We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and
> > only when we are going to probe the environ file.
> >
> > Also, fix the non-libcap-ng trim_capabilities prototype.
> >
> > Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
> > ---
> > cifs.upcall.c | 17 ++++++++---------
> > 1 file changed, 8 insertions(+), 9 deletions(-)
> >
> > diff --git a/cifs.upcall.c b/cifs.upcall.c
> > index 6d9c427b7032..dae58b919408 100644
> > --- a/cifs.upcall.c
> > +++ b/cifs.upcall.c
> > @@ -70,22 +70,21 @@ typedef enum _sectype {
> >
> > #ifdef HAVE_LIBCAP_NG
> > static int
> > -trim_capabilities(bool need_ptrace)
> > +trim_capabilities(bool need_environ)
> > {
> > capng_clear(CAPNG_SELECT_BOTH);
> >
> > - /*
> > - * Need PTRACE and DAC_OVERRIDE for environment scraping, SETGID to
> > - * change gid and grouplist, and SETUID to change uid.
> > - */
> > + /* SETUID and SETGID to change uid, gid, and grouplist */
> > if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
> > - CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE, -1)) {
> > + CAP_SETUID, CAP_SETGID, -1)) {
> > syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
> > return 1;
> > }
> >
> > - if (need_ptrace &&
> > - capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_PTRACE)) {
> > + /* Need PTRACE and DAC_OVERRIDE for environment scraping */
>
> It seems that the comment above doesn't reflect the proposed change.
> Should it be DAC_READ_SEARCH instead?
>
Yes! It should and it's fixed in the version in the tree.
Thanks,
--
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-02-16 17:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-16 14:59 [cifs-utils PATCH] cifs.upcall: trim even more capabilities Jeff Layton
[not found] ` <20170216145913.15848-1-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2017-02-16 15:07 ` Simo Sorce
2017-02-16 17:28 ` Pavel Shilovsky
[not found] ` <CAKywueQiDRKZPW3ev7OBmXea=h7W1bc_5rtf9Ds7NChVm6=gbg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-16 17:44 ` Jeff Layton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.