* [cifs-utils PATCH] cifs.upcall: trim even more capabilities
@ 2017-02-16 14:59 Jeff Layton
[not found] ` <20170216145913.15848-1-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Jeff Layton @ 2017-02-16 14:59 UTC (permalink / raw)
To: linux-cifs-u79uwXL29TY76Z2rM5mHXA,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ
Cc: simo-H+wXaHxf7aLQT0dZR+AlfA
We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and
only when we are going to probe the environ file.
Also, fix the non-libcap-ng trim_capabilities prototype.
Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
---
cifs.upcall.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 6d9c427b7032..dae58b919408 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -70,22 +70,21 @@ typedef enum _sectype {
#ifdef HAVE_LIBCAP_NG
static int
-trim_capabilities(bool need_ptrace)
+trim_capabilities(bool need_environ)
{
capng_clear(CAPNG_SELECT_BOTH);
- /*
- * Need PTRACE and DAC_OVERRIDE for environment scraping, SETGID to
- * change gid and grouplist, and SETUID to change uid.
- */
+ /* SETUID and SETGID to change uid, gid, and grouplist */
if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
- CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE, -1)) {
+ CAP_SETUID, CAP_SETGID, -1)) {
syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
return 1;
}
- if (need_ptrace &&
- capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_PTRACE)) {
+ /* Need PTRACE and DAC_OVERRIDE for environment scraping */
+ if (need_environ &&
+ capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE,
+ CAP_SYS_PTRACE, CAP_DAC_READ_SEARCH, -1)) {
syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__);
return 1;
}
@@ -109,7 +108,7 @@ drop_all_capabilities(void)
}
#else /* HAVE_LIBCAP_NG */
static int
-trim_capabilities(void)
+trim_capabilities(bool unused)
{
return 0;
}
--
2.9.3
^ permalink raw reply related [flat|nested] 4+ messages in thread[parent not found: <20170216145913.15848-1-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>]
* Re: [cifs-utils PATCH] cifs.upcall: trim even more capabilities [not found] ` <20170216145913.15848-1-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> @ 2017-02-16 15:07 ` Simo Sorce 2017-02-16 17:28 ` Pavel Shilovsky 1 sibling, 0 replies; 4+ messages in thread From: Simo Sorce @ 2017-02-16 15:07 UTC (permalink / raw) To: Jeff Layton Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA, samba-technical-w/Ol4Ecudpl8XjKLYN78aQ Reviewed-by: Simo Sorce <simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> On Thu, 2017-02-16 at 09:59 -0500, Jeff Layton wrote: > We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and > only when we are going to probe the environ file. > > Also, fix the non-libcap-ng trim_capabilities prototype. > > Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> > --- > cifs.upcall.c | 17 ++++++++--------- > 1 file changed, 8 insertions(+), 9 deletions(-) > > diff --git a/cifs.upcall.c b/cifs.upcall.c > index 6d9c427b7032..dae58b919408 100644 > --- a/cifs.upcall.c > +++ b/cifs.upcall.c > @@ -70,22 +70,21 @@ typedef enum _sectype { > > #ifdef HAVE_LIBCAP_NG > static int > -trim_capabilities(bool need_ptrace) > +trim_capabilities(bool need_environ) > { > capng_clear(CAPNG_SELECT_BOTH); > > - /* > - * Need PTRACE and DAC_OVERRIDE for environment scraping, SETGID to > - * change gid and grouplist, and SETUID to change uid. > - */ > + /* SETUID and SETGID to change uid, gid, and grouplist */ > if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, > - CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE, -1)) { > + CAP_SETUID, CAP_SETGID, -1)) { > syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__); > return 1; > } > > - if (need_ptrace && > - capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_PTRACE)) { > + /* Need PTRACE and DAC_OVERRIDE for environment scraping */ > + if (need_environ && > + capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, > + CAP_SYS_PTRACE, CAP_DAC_READ_SEARCH, -1)) { > syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__); > return 1; > } > @@ -109,7 +108,7 @@ drop_all_capabilities(void) > } > #else /* HAVE_LIBCAP_NG */ > static int > -trim_capabilities(void) > +trim_capabilities(bool unused) > { > return 0; > } -- Simo Sorce * Red Hat, Inc * New York ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [cifs-utils PATCH] cifs.upcall: trim even more capabilities [not found] ` <20170216145913.15848-1-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> 2017-02-16 15:07 ` Simo Sorce @ 2017-02-16 17:28 ` Pavel Shilovsky [not found] ` <CAKywueQiDRKZPW3ev7OBmXea=h7W1bc_5rtf9Ds7NChVm6=gbg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 1 sibling, 1 reply; 4+ messages in thread From: Pavel Shilovsky @ 2017-02-16 17:28 UTC (permalink / raw) To: Jeff Layton; +Cc: linux-cifs, samba-technical, simo-H+wXaHxf7aLQT0dZR+AlfA 2017-02-16 6:59 GMT-08:00 Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>: > We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and > only when we are going to probe the environ file. > > Also, fix the non-libcap-ng trim_capabilities prototype. > > Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> > --- > cifs.upcall.c | 17 ++++++++--------- > 1 file changed, 8 insertions(+), 9 deletions(-) > > diff --git a/cifs.upcall.c b/cifs.upcall.c > index 6d9c427b7032..dae58b919408 100644 > --- a/cifs.upcall.c > +++ b/cifs.upcall.c > @@ -70,22 +70,21 @@ typedef enum _sectype { > > #ifdef HAVE_LIBCAP_NG > static int > -trim_capabilities(bool need_ptrace) > +trim_capabilities(bool need_environ) > { > capng_clear(CAPNG_SELECT_BOTH); > > - /* > - * Need PTRACE and DAC_OVERRIDE for environment scraping, SETGID to > - * change gid and grouplist, and SETUID to change uid. > - */ > + /* SETUID and SETGID to change uid, gid, and grouplist */ > if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, > - CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE, -1)) { > + CAP_SETUID, CAP_SETGID, -1)) { > syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__); > return 1; > } > > - if (need_ptrace && > - capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_PTRACE)) { > + /* Need PTRACE and DAC_OVERRIDE for environment scraping */ It seems that the comment above doesn't reflect the proposed change. Should it be DAC_READ_SEARCH instead? > + if (need_environ && > + capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, > + CAP_SYS_PTRACE, CAP_DAC_READ_SEARCH, -1)) { > syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__); > return 1; > } > @@ -109,7 +108,7 @@ drop_all_capabilities(void) > } > #else /* HAVE_LIBCAP_NG */ > static int > -trim_capabilities(void) > +trim_capabilities(bool unused) > { > return 0; > } > -- > 2.9.3 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Best regards, Pavel Shilovsky ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <CAKywueQiDRKZPW3ev7OBmXea=h7W1bc_5rtf9Ds7NChVm6=gbg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [cifs-utils PATCH] cifs.upcall: trim even more capabilities [not found] ` <CAKywueQiDRKZPW3ev7OBmXea=h7W1bc_5rtf9Ds7NChVm6=gbg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2017-02-16 17:44 ` Jeff Layton 0 siblings, 0 replies; 4+ messages in thread From: Jeff Layton @ 2017-02-16 17:44 UTC (permalink / raw) To: Pavel Shilovsky; +Cc: linux-cifs, samba-technical, simo-H+wXaHxf7aLQT0dZR+AlfA On Thu, 2017-02-16 at 09:28 -0800, Pavel Shilovsky wrote: > 2017-02-16 6:59 GMT-08:00 Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>: > > We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and > > only when we are going to probe the environ file. > > > > Also, fix the non-libcap-ng trim_capabilities prototype. > > > > Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> > > --- > > cifs.upcall.c | 17 ++++++++--------- > > 1 file changed, 8 insertions(+), 9 deletions(-) > > > > diff --git a/cifs.upcall.c b/cifs.upcall.c > > index 6d9c427b7032..dae58b919408 100644 > > --- a/cifs.upcall.c > > +++ b/cifs.upcall.c > > @@ -70,22 +70,21 @@ typedef enum _sectype { > > > > #ifdef HAVE_LIBCAP_NG > > static int > > -trim_capabilities(bool need_ptrace) > > +trim_capabilities(bool need_environ) > > { > > capng_clear(CAPNG_SELECT_BOTH); > > > > - /* > > - * Need PTRACE and DAC_OVERRIDE for environment scraping, SETGID to > > - * change gid and grouplist, and SETUID to change uid. > > - */ > > + /* SETUID and SETGID to change uid, gid, and grouplist */ > > if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, > > - CAP_SETUID, CAP_SETGID, CAP_DAC_OVERRIDE, -1)) { > > + CAP_SETUID, CAP_SETGID, -1)) { > > syslog(LOG_ERR, "%s: Unable to update capability set: %m\n", __func__); > > return 1; > > } > > > > - if (need_ptrace && > > - capng_update(CAPNG_ADD, CAPNG_PERMITTED|CAPNG_EFFECTIVE, CAP_SYS_PTRACE)) { > > + /* Need PTRACE and DAC_OVERRIDE for environment scraping */ > > It seems that the comment above doesn't reflect the proposed change. > Should it be DAC_READ_SEARCH instead? > Yes! It should and it's fixed in the version in the tree. Thanks, -- Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-02-16 17:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-16 14:59 [cifs-utils PATCH] cifs.upcall: trim even more capabilities Jeff Layton
[not found] ` <20170216145913.15848-1-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2017-02-16 15:07 ` Simo Sorce
2017-02-16 17:28 ` Pavel Shilovsky
[not found] ` <CAKywueQiDRKZPW3ev7OBmXea=h7W1bc_5rtf9Ds7NChVm6=gbg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-16 17:44 ` Jeff Layton
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.