From: "Serge E. Hallyn" <serge@hallyn.com>
To: Pavel Machek <pavel@suse.cz>
Cc: Markku Savela <msa@moth.iki.fi>, linux-kernel@vger.kernel.org
Subject: Re: Frustrated with capabilities..
Date: Fri, 29 Aug 2008 11:58:47 -0500 [thread overview]
Message-ID: <20080829165847.GA19672@hallyn.com> (raw)
In-Reply-To: <20080828141826.GA6797@ucw.cz>
Quoting Pavel Machek (pavel@suse.cz):
> On Wed 2008-08-27 12:31:10, Markku Savela wrote:
> > I just want to run an exectable with limited capabilities and assumed
> > the following approach would work fine:
> >
> > 1) fork process
> > 2) in child
> >
> > 2.1 set current capabilities (eip) using cap_set_proc
> > 2.2 execve the executable.
> >
> > But it frigging does not work! Just before the execve, the result of
> > cap_to_text is
> >
> > = cap_net_bind_service+eip
> >
> > but, in the execve executable, the result is suddenly
> >
> > = cap_net_bind_service+i
> >
> > Why does the execve clear the effective and permitted capabities,
> > against my clear instructions? (I also have the prctl KEEP_CAPS set,
KEEP_CAPS prevents capability set clearing at setuid, not at exec.
> > though in this case it should be irrelevant).
> >
> > - The kernel is from ubuntu distro, 2.6.24.
> >
> > - the executable *does* *not* have any setuid/setgid bits
> >
> > - the upcoming file capabities will not be any help, because I will
> > need to start the same executable with different capabilities
> > depending on context.
They will help. The context is pI. When a file is executed, the task's
new permitted set is calculated as:
pP' = (fI&pI) | (fP & X)
So you can give /bin/foo the file capabilities:
fI=cap1,cap2,cap3
Then task 1 runs with pI=cap1, so when it executes /bin/foo it will get
pP' = cap1
Task 2 runs with pI=cap2,cap3,cap4 so when it executes /bin/foo it will
get
pP' = cap2,cap3
> Yes, you need upcoming filesystem capabilities. Binary may not
> inherit capabilities unless filesystem flags permit that.
>
> --
> (english) http://www.livejournal.com/~pavelmachek
> (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
prev parent reply other threads:[~2008-08-29 16:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-27 9:31 Frustrated with capabilities Markku Savela
2008-08-28 14:18 ` Pavel Machek
2008-08-28 14:45 ` Markku Savela
2008-08-28 17:48 ` Theodore Tso
2008-08-28 21:03 ` David P. Quigley
2008-08-29 4:47 ` Casey Schaufler
2008-08-29 14:20 ` David P. Quigley
2008-08-29 10:18 ` Markku Savela
2008-08-29 10:47 ` James Morris
2008-08-29 14:07 ` Theodore Tso
2008-08-29 17:11 ` Serge E. Hallyn
2008-08-29 16:58 ` Serge E. Hallyn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080829165847.GA19672@hallyn.com \
--to=serge@hallyn.com \
--cc=linux-kernel@vger.kernel.org \
--cc=msa@moth.iki.fi \
--cc=pavel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.