From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Gábor Lénárt" <lgb@lgb.hu>
Cc: linux-kernel@vger.kernel.org
Subject: Re: capabilities question(s)
Date: Thu, 10 Nov 2011 15:59:47 +0000 [thread overview]
Message-ID: <20111110155947.GA17085@hallyn.com> (raw)
In-Reply-To: <20111110115144.GD10997@vega.lgb.hu>
Quoting Gábor Lénárt (lgb@lgb.hu):
> Hi All,
>
> I have the problem that I can't find too much informations about
> capabilities implemented by the Linux kernel, and its usage.
> I even don't have header file sys/capability.h suggested by man
> page of capget (on ubuntu, if it does count). However it's not the major
> problem, as I've found example to use syscall() from sys/syscall.h and
> stuffs in linux/capability.h. Well, ignore it, I've just found out
> that I need libcap-dev to install. However the problem remains:
>
> What I want to do: I need user to be able to do chroot() once, then I want
> to drop that capability (to be safe?). My program (a server) runs as root,
> but after initialization it changes uid/gid (in a forked process). However
> I want to keep chroot capability even after the uid/gid change so I can do a
> chroot() even as non-root. It it possible at all? I need this so I feel
What you want is
prctl(PR_SET_KEEPCAPS, 1);
That will let you keep the capabilities across the uid change. Note that
this will get reset, and your privilege dropped, after a subsequent execve().
If that doesn't work for you, then you may want to look into running that
task with different securebits settings (using prctl(PR_SET_SECUREBITS, XYZ)).
See 'man 7 capabilities' for more information on that.
HTH,
-serge
> more secure not to run things as root, since I need to do many things before
> I can call chroot(). So I guessed, it's more secure to use non-root user
> to do these, before I can do chroot().
>
> As far as I can see, I can set capability as root, but after uid/gid change,
> I lost that capability, and - of course - I cannot set it as a user then.
>
> Or should I use root user anyway, just drop all of the capabilities I don't
> need just keep uid/gid change and chroot? Anyway, then I have the problem
> that I am still root for the filesystem permission checks, and it's
> something I don't want to do, because the things my server do before chroot
> is not so secure ...
>
> Any ideas are welcome.
>
> Best regards,
>
> Gábor
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
prev parent reply other threads:[~2011-11-10 15:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-10 11:51 capabilities question(s) Gábor Lénárt
2011-11-10 15:59 ` Serge E. Hallyn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111110155947.GA17085@hallyn.com \
--to=serge@hallyn.com \
--cc=lgb@lgb.hu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.