* Sysctl syscall
@ 2006-11-15 22:03 Hasso Tepper
2006-11-15 22:19 ` Jan Engelhardt
2006-11-17 7:15 ` Andi Kleen
0 siblings, 2 replies; 8+ messages in thread
From: Hasso Tepper @ 2006-11-15 22:03 UTC (permalink / raw)
To: netdev, linux-kernel
Compiling the program which uses a lot "sysctl" syscalls, gives me this
warning on Debian unstable:
"warning: the `sysctl' syscall has been removed from 2.6.18+ kernels,
direct access to `/proc/sys' should be used instead."
Is it true? And what can be used as alternative which would work with both
2.4 and 2.6 kernels and would work with capabilities (sys/capability.h)?
Accessing `/proc/sys' directly isn't such alternative as it doesn't work
with capabilities.
regards,
--
Hasso Tepper
Elion Enterprises Ltd. [AS3249]
Data Communication Network Administrator
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Sysctl syscall
2006-11-15 22:03 Sysctl syscall Hasso Tepper
@ 2006-11-15 22:19 ` Jan Engelhardt
2006-11-17 7:15 ` Andi Kleen
1 sibling, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2006-11-15 22:19 UTC (permalink / raw)
To: Hasso Tepper; +Cc: netdev, linux-kernel
On Nov 16 2006 00:03, Hasso Tepper wrote:
>
>Compiling the program which uses a lot "sysctl" syscalls, gives me this
>warning on Debian unstable:
>
>"warning: the `sysctl' syscall has been removed from 2.6.18+ kernels,
>direct access to `/proc/sys' should be used instead."
>
>Is it true?
Well it was unobsoleted in 2.6.19 if I followed the list correctly.
>And what can be used as alternative which would work with both
>2.4 and 2.6 kernels
>and would work with capabilities (sys/capability.h)?
>Accessing `/proc/sys' directly isn't such alternative as it doesn't work
>with capabilities.
-`J'
--
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Sysctl syscall
2006-11-15 22:03 Sysctl syscall Hasso Tepper
2006-11-15 22:19 ` Jan Engelhardt
@ 2006-11-17 7:15 ` Andi Kleen
2006-11-17 8:07 ` Hasso Tepper
1 sibling, 1 reply; 8+ messages in thread
From: Andi Kleen @ 2006-11-17 7:15 UTC (permalink / raw)
To: Hasso Tepper; +Cc: linux-kernel
Hasso Tepper <hasso@estpak.ee> writes:
> 2.4 and 2.6 kernels and would work with capabilities (sys/capability.h)?
> Accessing `/proc/sys' directly isn't such alternative as it doesn't work
> with capabilities.
What do you mean with "/proc/sys doesn't work with capabilities"?
-Andi
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Sysctl syscall
2006-11-17 7:15 ` Andi Kleen
@ 2006-11-17 8:07 ` Hasso Tepper
2006-11-17 9:23 ` Andi Kleen
0 siblings, 1 reply; 8+ messages in thread
From: Hasso Tepper @ 2006-11-17 8:07 UTC (permalink / raw)
To: Andi Kleen; +Cc: linux-kernel
Andi Kleen wrote:
> Hasso Tepper <hasso@estpak.ee> writes:
> > 2.4 and 2.6 kernels and would work with capabilities
> > (sys/capability.h)? Accessing `/proc/sys' directly isn't such
> > alternative as it doesn't work with capabilities.
>
> What do you mean with "/proc/sys doesn't work with capabilities"?
I have process which drops root privileges after startup and retains only
some privileges using CAP_NET_ADMIN and CAP_SYS_ADMIN capabilities.
I can change values in /proc/sys/net/ipv[46]/* (like turning forwarding
on/off) from this process using sysctl syscall, but I can't write
directly into /proc/sys/net/ipv[46]/* from it.
regards,
--
Hasso Tepper
Elion Enterprises Ltd. [AS3249]
Data Communication Network Administrator
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Sysctl syscall
2006-11-17 8:07 ` Hasso Tepper
@ 2006-11-17 9:23 ` Andi Kleen
2006-11-17 9:38 ` Hasso Tepper
0 siblings, 1 reply; 8+ messages in thread
From: Andi Kleen @ 2006-11-17 9:23 UTC (permalink / raw)
To: Hasso Tepper; +Cc: linux-kernel
On Friday 17 November 2006 09:07, Hasso Tepper wrote:
> I have process which drops root privileges after startup and retains only
> some privileges using CAP_NET_ADMIN and CAP_SYS_ADMIN capabilities.
> I can change values in /proc/sys/net/ipv[46]/* (like turning forwarding
> on/off) from this process using sysctl syscall, but I can't write
> directly into /proc/sys/net/ipv[46]/* from it.
That sounds more like a security bug than a feature to be preserved.
-Andi
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Sysctl syscall
2006-11-17 9:23 ` Andi Kleen
@ 2006-11-17 9:38 ` Hasso Tepper
0 siblings, 0 replies; 8+ messages in thread
From: Hasso Tepper @ 2006-11-17 9:38 UTC (permalink / raw)
To: Andi Kleen; +Cc: linux-kernel
Andi Kleen wrote:
> On Friday 17 November 2006 09:07, Hasso Tepper wrote:
> > I have process which drops root privileges after startup and retains
> > only some privileges using CAP_NET_ADMIN and CAP_SYS_ADMIN
> > capabilities. I can change values in /proc/sys/net/ipv[46]/* (like
> > turning forwarding on/off) from this process using sysctl syscall,
> > but I can't write directly into /proc/sys/net/ipv[46]/* from it.
>
> That sounds more like a security bug than a feature to be preserved.
Why? IMHO it's normal that process with CAP_NET_ADMIN capabilities can
modify settings in /proc/sys/net/. From /usr/include/sys/capability.h:
/* Allow interface configuration */
/* Allow administration of IP firewall, masquerading and accounting */
/* Allow setting debug option on sockets */
/* Allow modification of routing tables */
/* Allow setting arbitrary process / process group ownership on
sockets */
/* Allow binding to any address for transparent proxying */
/* Allow setting TOS (type of service) */
/* Allow setting promiscuous mode */
/* Allow clearing driver statistics */
/* Allow multicasting */
/* Allow read/write of device-specific registers */
/* Allow activation of ATM control sockets */
#define CAP_NET_ADMIN 12
regards,
--
Hasso Tepper
Elion Enterprises Ltd. [AS3249]
Data Communication Network Administrator
^ permalink raw reply [flat|nested] 8+ messages in thread
* Sysctl syscall
@ 2006-11-15 21:58 Hasso Tepper
0 siblings, 0 replies; 8+ messages in thread
From: Hasso Tepper @ 2006-11-15 21:58 UTC (permalink / raw)
To: netdev, lkml
Compiling the program which uses a lot "sysctl" syscalls, gives me this
warning on Debian unstable:
"warning: the `sysctl' syscall has been removed from 2.6.18+ kernels,
direct access to `/proc/sys' should be used instead."
Is it true? And what can be used as alternative which would work with both
2.4 and 2.6 kernels and would work with capabilities (sys/capability.h)?
Accessing `/proc/sys' directly isn't such alternative as it doesn't work
with capabilities.
regards,
--
Hasso Tepper
Elion Enterprises Ltd. [AS3249]
Data Communication Network Administrator
^ permalink raw reply [flat|nested] 8+ messages in thread
* Sysctl syscall
@ 2006-11-15 19:05 Hasso Tepper
0 siblings, 0 replies; 8+ messages in thread
From: Hasso Tepper @ 2006-11-15 19:05 UTC (permalink / raw)
To: netdev, lkml
Compiling the program which uses a lot "sysctl" syscalls, gives me this
warning on Debian unstable:
"warning: the `sysctl' syscall has been removed from 2.6.18+ kernels,
direct access to `/proc/sys' should be used instead."
Is it true? And what can be used as alternative which would work with both
2.4 and 2.6 kernels and would work with capabilities (sys/capability.h)?
Accessing `/proc/sys' directly isn't such alternative as it doesn't work
with capabilities.
regards,
--
Hasso Tepper
Elion Enterprises Ltd. [AS3249]
Data Communication Network Administrator
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2006-11-17 9:38 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-15 22:03 Sysctl syscall Hasso Tepper
2006-11-15 22:19 ` Jan Engelhardt
2006-11-17 7:15 ` Andi Kleen
2006-11-17 8:07 ` Hasso Tepper
2006-11-17 9:23 ` Andi Kleen
2006-11-17 9:38 ` Hasso Tepper
-- strict thread matches above, loose matches on Subject: below --
2006-11-15 21:58 Hasso Tepper
2006-11-15 19:05 Hasso Tepper
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.